stockholm/makefu/2configs/home/jellyfin.nix

67 lines
2.2 KiB
Nix

{ lib, config, ... }:
{
services.jellyfin.enable = true;
services.jellyfin.openFirewall = true;
state = [ "/var/lib/jellyfin" ];
users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ];
systemd.services.jellyfin = {
after = [ "media-cloud.mount" ];
serviceConfig = rec {
SupplementaryGroups = lib.mkForce [ "video" "render" "download" ];
UMask = lib.mkForce "0077";
Type = lib.mkForce "simple";
StateDirectory = lib.mkForce "jellyfin";
StateDirectoryMode = lib.mkForce "0700";
CacheDirectory = lib.mkForce "jellyfin";
CacheDirectoryMode = lib.mkForce "0700";
WorkingDirectory = lib.mkForce "/var/lib/jellyfin";
Restart = lib.mkForce "on-failure";
TimeoutSec = lib.mkForce 15;
SuccessExitStatus = lib.mkForce ["0" "143"];
# Security options:
NoNewPrivileges = lib.mkForce true;
SystemCallArchitectures = lib.mkForce "native";
# AF_NETLINK needed because Jellyfin monitors the network connection
RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
RestrictNamespaces = lib.mkForce false;
RestrictRealtime = lib.mkForce true;
RestrictSUIDSGID = lib.mkForce true;
ProtectControlGroups = lib.mkForce false;
ProtectHostname = lib.mkForce true;
ProtectKernelLogs = lib.mkForce false;
ProtectKernelModules = lib.mkForce false;
ProtectKernelTunables = lib.mkForce false;
LockPersonality = lib.mkForce true;
PrivateTmp = lib.mkForce false;
# needed for hardware accelaration
PrivateDevices = lib.mkForce false;
PrivateUsers = lib.mkForce true;
RemoveIPC = lib.mkForce true;
SystemCallFilter = lib.mkForce [
"~@clock"
"~@aio"
"~@chown"
"~@cpu-emulation"
"~@debug"
"~@keyring"
"~@memlock"
"~@module"
"~@mount"
"~@obsolete"
"~@privileged"
"~@raw-io"
"~@reboot"
"~@setuid"
"~@swap"
];
SystemCallErrorNumber = lib.mkForce "EPERM";
};
};
}