ma home: add 3dprint, update jellyfin and music

author: makefu <github@syntax-fehler.de> 2022-09-23 23:43:58 +0200
committer: makefu <github@syntax-fehler.de> 2022-09-23 23:43:58 +0200
commit: 68db37f6c413530f35589d1da2ea758ac274d752 (patch)
tree: 0bc8f6972e9a38707789ac5f27bda2bb962d07dd
parent: 3e8f855f60dfa5bf56ab3a1d1a54e0accccbd618 (diff)
3 files changed, 106 insertions, 9 deletions
diff --git a/makefu/2configs/home/3dprint.nix b/makefu/2configs/home/3dprint.nix
new file mode 100644
index 00000000..859a1884
--- /dev/null
+++ b/makefu/2configs/home/3dprint.nix
@@ -0,0 +1,45 @@
+{ pkgs, ... }:
+{
+  services.mjpg-streamer = {
+    enable = true;
+    inputPlugin = "input_uvc.so -d /dev/web_cam -r 1280x960";
+  };
+  users.users.octoprint.extraGroups = [ "video" ];
+  # allow octoprint to access /dev/vchiq
+  # also ensure that the webcam always comes up under the same name
+  services.udev.extraRules = ''
+    SUBSYSTEM=="vchiq",GROUP="video",MODE="0660"
+    SUBSYSTEM=="video4linux", ATTR{name}=="UVC Camera (046d:0825)",SYMLINK+="web_cam", MODE="0666", GROUP="video"
+  '';
+  systemd.services.octoprint = {
+    path = [ pkgs.libraspberrypi ];
+  };
+  services.octoprint = {
+    enable = true;
+    plugins = plugins: with plugins;[
+      costestimation
+      displayprogress
+      mqtt
+      stlviewer
+      themeify
+      # octolapse
+      (buildPlugin rec {
+        pname = "OctoPrint-HomeAssistant";
+        version = "3.6.2";
+        src = pkgs.fetchFromGitHub {
+          owner = "cmroche";
+          repo = pname;
+          rev = version;
+          hash = "sha256-oo9OBmHoJFNGK7u9cVouMuBuUcUxRUrY0ppRq0OS1ro=";
+        };
+      })
+    ];
+    extraConfig.plugins.mqtt.broker = {
+      url = "omo.lan";
+      # TODO TODO TODO
+      username = "hass";
+      password = "lksue43jrf";
+      # TODO TODO TODO
+    };
+  };
+}
diff --git a/makefu/2configs/home/jellyfin.nix b/makefu/2configs/home/jellyfin.nix
index 672a483e..acfdb259 100644
--- a/makefu/2configs/home/jellyfin.nix
+++ b/makefu/2configs/home/jellyfin.nix
@@ -2,9 +2,65 @@
 {
         services.jellyfin.enable = true;
         services.jellyfin.openFirewall = true;
-        #users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ];
         state = [ "/var/lib/jellyfin" ];
-        systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false;
-        systemd.services.jellyfin.serviceConfig.DeviceAllow = lib.mkForce ["char-drm rwm" "char-nvidia-frontend" "char-nvidia-uvm"];
-        systemd.services.jellyfin.serviceConfig.SupplementaryGroups = [ "video" "render" "download" ];
+        users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ];
+
+        systemd.services.jellyfin = {
+
+        after = [ "media-cloud.mount" ];
+        serviceConfig = rec {
+          SupplementaryGroups = lib.mkForce [ "video" "render" "download" ];
+          UMask = lib.mkForce "0077";
+
+
+        Type = lib.mkForce "simple";
+        StateDirectory = lib.mkForce "jellyfin";
+        StateDirectoryMode = lib.mkForce "0700";
+        CacheDirectory = lib.mkForce "jellyfin";
+        CacheDirectoryMode = lib.mkForce "0700";
+        WorkingDirectory = lib.mkForce "/var/lib/jellyfin";
+        Restart = lib.mkForce "on-failure";
+        TimeoutSec = lib.mkForce 15;
+        SuccessExitStatus = lib.mkForce ["0" "143"];
+
+        # Security options:
+        NoNewPrivileges = lib.mkForce true;
+        SystemCallArchitectures = lib.mkForce "native";
+        # AF_NETLINK needed because Jellyfin monitors the network connection
+        RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
+        RestrictNamespaces = lib.mkForce false;
+        RestrictRealtime = lib.mkForce true;
+        RestrictSUIDSGID = lib.mkForce true;
+        ProtectControlGroups = lib.mkForce false;
+        ProtectHostname = lib.mkForce true;
+        ProtectKernelLogs = lib.mkForce false;
+        ProtectKernelModules = lib.mkForce false;
+        ProtectKernelTunables = lib.mkForce false;
+        LockPersonality = lib.mkForce true;
+        PrivateTmp = lib.mkForce false;
+        # needed for hardware accelaration
+        PrivateDevices = lib.mkForce false;
+        PrivateUsers = lib.mkForce true;
+        RemoveIPC = lib.mkForce true;
+
+        SystemCallFilter = lib.mkForce [
+          "~@clock"
+          "~@aio"
+          "~@chown"
+          "~@cpu-emulation"
+          "~@debug"
+          "~@keyring"
+          "~@memlock"
+          "~@module"
+          "~@mount"
+          "~@obsolete"
+          "~@privileged"
+          "~@raw-io"
+          "~@reboot"
+          "~@setuid"
+          "~@swap"
+        ];
+        SystemCallErrorNumber = lib.mkForce "EPERM";
+      };
+    };
 }
diff --git a/makefu/2configs/home/music.nix b/makefu/2configs/home/music.nix
index 7f5a425d..7dd8ca6e 100644
--- a/makefu/2configs/home/music.nix
+++ b/makefu/2configs/home/music.nix
@@ -22,10 +22,6 @@ in
 
     locations."/".proxyPass = "http://localhost:${toString port}";
     locations."/".proxyWebsockets = true;
-    extraConfig = ''
-      if ( $server_addr != "${internal-ip}" ) {
-        return 403;
-      }
-    '';
   };
+  networking.firewall.allowedTCPPorts = [ port ];
 }
author	makefu <github@syntax-fehler.de>	2022-09-23 23:43:58 +0200
committer	makefu <github@syntax-fehler.de>	2022-09-23 23:43:58 +0200
commit	68db37f6c413530f35589d1da2ea758ac274d752 (patch)
tree	0bc8f6972e9a38707789ac5f27bda2bb962d07dd
parent	3e8f855f60dfa5bf56ab3a1d1a54e0accccbd618 (diff)