From 7144947b5df78a960cf4363c9de24cad7c4fca45 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 27 Feb 2023 20:01:01 +0100 Subject: [PATCH] jellyfin: Remove module, override StateDirectory and follow upstream --- hosts/architect/jellyfin.nix | 4 +- hosts/architect/modules/jellyfin.nix | 128 --------------------------- 2 files changed, 2 insertions(+), 130 deletions(-) delete mode 100644 hosts/architect/modules/jellyfin.nix diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix index f7599a4..e2ad9fc 100644 --- a/hosts/architect/jellyfin.nix +++ b/hosts/architect/jellyfin.nix @@ -6,8 +6,8 @@ let auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; in { - disabledModules = [ "services/misc/jellyfin.nix" ]; - imports = [ ./modules/jellyfin.nix ]; + # needed since StateDirectory does not accept symlinks + systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce ""; services = { jellyfin = { diff --git a/hosts/architect/modules/jellyfin.nix b/hosts/architect/modules/jellyfin.nix deleted file mode 100644 index f5e70f2..0000000 --- a/hosts/architect/modules/jellyfin.nix +++ /dev/null @@ -1,128 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let cfg = config.services.jellyfin; -in { - options = { - services.jellyfin = { - enable = mkEnableOption "Jellyfin Media Server"; - - user = mkOption { - type = types.str; - default = "jellyfin"; - description = "User account under which Jellyfin runs."; - }; - - package = mkOption { - type = types.package; - default = pkgs.jellyfin; - example = literalExample "pkgs.jellyfin"; - description = '' - Jellyfin package to use. - ''; - }; - - group = mkOption { - type = types.str; - default = "jellyfin"; - description = "Group under which jellyfin runs."; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = '' - Open the default ports in the firewall for the media server. The - HTTP/HTTPS ports can be changed in the Web UI, so this option should - only be used if they are unchanged. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - systemd.services.jellyfin = { - description = "Jellyfin Media Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = rec { - User = cfg.user; - Group = cfg.group; - StateDirectory = "/jellyfin"; - CacheDirectory = "/jellyfin/cache"; - ExecStart = - "${cfg.package}/bin/jellyfin --datadir '/jellyfin' --cachedir '/jellyfin/cache'"; - Restart = "on-failure"; - - # Security options: - - NoNewPrivileges = true; - - AmbientCapabilities = ""; - CapabilityBoundingSet = ""; - - # # ProtectClock= adds DeviceAllow=char-rtc r - # DeviceAllow = [ - # "char-drm r" - # "/dev/nvidia0 r" - # "/dev/nvidiactl r" - # "/dev/nvidia-uvm r" - # "/dev/nvidia-uvm-tools r" - # ]; - DeviceAllow = ""; - LockPersonality = true; - - PrivateTmp = true; - PrivateUsers = true; - - # ProtectClock = true; - ProtectControlGroups = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - - RemoveIPC = true; - - RestrictNamespaces = true; - # # AF_NETLINK needed because Jellyfin monitors the network connection - RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ]; - RestrictRealtime = true; - RestrictSUIDSGID = true; - - SystemCallArchitectures = "native"; - SystemCallErrorNumber = "EPERM"; - SystemCallFilter = [ - "@system-service" - "~@cpu-emulation" - "~@debug" - "~@keyring" - "~@memlock" - "~@obsolete" - "~@privileged" - "~@setuid" - ]; - }; - }; - - users.users = mkIf (cfg.user == "jellyfin") { - jellyfin = { - group = cfg.group; - isSystemUser = true; - }; - }; - - users.groups = mkIf (cfg.group == "jellyfin") { jellyfin = { }; }; - - networking.firewall = mkIf cfg.openFirewall { - # from https://jellyfin.org/docs/general/networking/index.html - allowedTCPPorts = [ 8096 8920 ]; - allowedUDPPorts = [ 1900 7359 ]; - }; - - }; - - meta.maintainers = with lib.maintainers; [ minijackson ]; -}