diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix index bab1f00..1047dc0 100644 --- a/hosts/architect/jellyfin.nix +++ b/hosts/architect/jellyfin.nix @@ -6,6 +6,9 @@ let auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; in { + disabledModules = [ "services/misc/jellyfin.nix" ]; + imports = [ ./modules/jellyfin.nix ]; + services = { jellyfin = { enable = true; @@ -16,15 +19,31 @@ in nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; - extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; }; + extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; } + + '' + # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. + #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; + # Disable buffering when the nginx proxy gets very resource heavy upon streaming + proxy_buffering off; + ''; locations."/" = { proxyPass = "http://127.0.0.1:8096"; + # extraConfig = '' + # allow 10.0.0.0/24; + # allow 10.3.0.0/24; + # deny all; + # ''; }; locations."/socket" = { proxyPass = "http://127.0.0.1:8096"; proxyWebsockets = true; + # extraConfig = '' + # allow 10.0.0.0/24; + # allow 10.3.0.0/24; + # deny all; + # ''; }; }; }; diff --git a/hosts/architect/modules/jellyfin.nix b/hosts/architect/modules/jellyfin.nix new file mode 100644 index 0000000..e62b076 --- /dev/null +++ b/hosts/architect/modules/jellyfin.nix @@ -0,0 +1,128 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let cfg = config.services.jellyfin; +in { + options = { + services.jellyfin = { + enable = mkEnableOption "Jellyfin Media Server"; + + user = mkOption { + type = types.str; + default = "jellyfin"; + description = "User account under which Jellyfin runs."; + }; + + package = mkOption { + type = types.package; + default = pkgs.jellyfin; + example = literalExample "pkgs.jellyfin"; + description = '' + Jellyfin package to use. + ''; + }; + + group = mkOption { + type = types.str; + default = "jellyfin"; + description = "Group under which jellyfin runs."; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open the default ports in the firewall for the media server. The + HTTP/HTTPS ports can be changed in the Web UI, so this option should + only be used if they are unchanged. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.jellyfin = { + description = "Jellyfin Media Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = rec { + User = cfg.user; + Group = cfg.group; + StateDirectory = "/jellyfin"; + CacheDirectory = "/jellyfin/cache"; + ExecStart = + "${cfg.package}/bin/jellyfin --datadir '/jellyfin' --cachedir '/jellyfin/cache'"; + Restart = "on-failure"; + + # Security options: + + NoNewPrivileges = true; + + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + + # # ProtectClock= adds DeviceAllow=char-rtc r + # DeviceAllow = [ + # "char-drm r" + # "/dev/nvidia0 r" + # "/dev/nvidiactl r" + # "/dev/nvidia-uvm r" + # "/dev/nvidia-uvm-tools r" + # ]; + DeviceAllow = ""; + LockPersonality = true; + + PrivateTmp = true; + PrivateUsers = true; + +# ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + + RemoveIPC = true; + + RestrictNamespaces = true; + # # AF_NETLINK needed because Jellyfin monitors the network connection + RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" + "~@debug" + "~@keyring" + "~@memlock" + "~@obsolete" + "~@privileged" + "~@setuid" + ]; + }; + }; + + users.users = mkIf (cfg.user == "jellyfin") { + jellyfin = { + group = cfg.group; + isSystemUser = true; + }; + }; + + users.groups = mkIf (cfg.group == "jellyfin") { jellyfin = { }; }; + + networking.firewall = mkIf cfg.openFirewall { + # from https://jellyfin.org/docs/general/networking/index.html + allowedTCPPorts = [ 8096 8920 ]; + allowedUDPPorts = [ 1900 7359 ]; + }; + + }; + + meta.maintainers = with lib.maintainers; [ minijackson ]; +}