diff options
Diffstat (limited to 'makefu/2configs/home/jellyfin.nix')
-rw-r--r-- | makefu/2configs/home/jellyfin.nix | 64 |
1 files changed, 60 insertions, 4 deletions
diff --git a/makefu/2configs/home/jellyfin.nix b/makefu/2configs/home/jellyfin.nix index 672a483e5..acfdb2599 100644 --- a/makefu/2configs/home/jellyfin.nix +++ b/makefu/2configs/home/jellyfin.nix @@ -2,9 +2,65 @@ { services.jellyfin.enable = true; services.jellyfin.openFirewall = true; - #users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ]; state = [ "/var/lib/jellyfin" ]; - systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false; - systemd.services.jellyfin.serviceConfig.DeviceAllow = lib.mkForce ["char-drm rwm" "char-nvidia-frontend" "char-nvidia-uvm"]; - systemd.services.jellyfin.serviceConfig.SupplementaryGroups = [ "video" "render" "download" ]; + users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ]; + + systemd.services.jellyfin = { + + after = [ "media-cloud.mount" ]; + serviceConfig = rec { + SupplementaryGroups = lib.mkForce [ "video" "render" "download" ]; + UMask = lib.mkForce "0077"; + + + Type = lib.mkForce "simple"; + StateDirectory = lib.mkForce "jellyfin"; + StateDirectoryMode = lib.mkForce "0700"; + CacheDirectory = lib.mkForce "jellyfin"; + CacheDirectoryMode = lib.mkForce "0700"; + WorkingDirectory = lib.mkForce "/var/lib/jellyfin"; + Restart = lib.mkForce "on-failure"; + TimeoutSec = lib.mkForce 15; + SuccessExitStatus = lib.mkForce ["0" "143"]; + + # Security options: + NoNewPrivileges = lib.mkForce true; + SystemCallArchitectures = lib.mkForce "native"; + # AF_NETLINK needed because Jellyfin monitors the network connection + RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ]; + RestrictNamespaces = lib.mkForce false; + RestrictRealtime = lib.mkForce true; + RestrictSUIDSGID = lib.mkForce true; + ProtectControlGroups = lib.mkForce false; + ProtectHostname = lib.mkForce true; + ProtectKernelLogs = lib.mkForce false; + ProtectKernelModules = lib.mkForce false; + ProtectKernelTunables = lib.mkForce false; + LockPersonality = lib.mkForce true; + PrivateTmp = lib.mkForce false; + # needed for hardware accelaration + PrivateDevices = lib.mkForce false; + PrivateUsers = lib.mkForce true; + RemoveIPC = lib.mkForce true; + + SystemCallFilter = lib.mkForce [ + "~@clock" + "~@aio" + "~@chown" + "~@cpu-emulation" + "~@debug" + "~@keyring" + "~@memlock" + "~@module" + "~@mount" + "~@obsolete" + "~@privileged" + "~@raw-io" + "~@reboot" + "~@setuid" + "~@swap" + ]; + SystemCallErrorNumber = lib.mkForce "EPERM"; + }; + }; } |