blob: acfdb25999628958933d156fde648a24bcd042fa (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
{ lib, config, ... }:
{
services.jellyfin.enable = true;
services.jellyfin.openFirewall = true;
state = [ "/var/lib/jellyfin" ];
users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ];
systemd.services.jellyfin = {
after = [ "media-cloud.mount" ];
serviceConfig = rec {
SupplementaryGroups = lib.mkForce [ "video" "render" "download" ];
UMask = lib.mkForce "0077";
Type = lib.mkForce "simple";
StateDirectory = lib.mkForce "jellyfin";
StateDirectoryMode = lib.mkForce "0700";
CacheDirectory = lib.mkForce "jellyfin";
CacheDirectoryMode = lib.mkForce "0700";
WorkingDirectory = lib.mkForce "/var/lib/jellyfin";
Restart = lib.mkForce "on-failure";
TimeoutSec = lib.mkForce 15;
SuccessExitStatus = lib.mkForce ["0" "143"];
# Security options:
NoNewPrivileges = lib.mkForce true;
SystemCallArchitectures = lib.mkForce "native";
# AF_NETLINK needed because Jellyfin monitors the network connection
RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
RestrictNamespaces = lib.mkForce false;
RestrictRealtime = lib.mkForce true;
RestrictSUIDSGID = lib.mkForce true;
ProtectControlGroups = lib.mkForce false;
ProtectHostname = lib.mkForce true;
ProtectKernelLogs = lib.mkForce false;
ProtectKernelModules = lib.mkForce false;
ProtectKernelTunables = lib.mkForce false;
LockPersonality = lib.mkForce true;
PrivateTmp = lib.mkForce false;
# needed for hardware accelaration
PrivateDevices = lib.mkForce false;
PrivateUsers = lib.mkForce true;
RemoveIPC = lib.mkForce true;
SystemCallFilter = lib.mkForce [
"~@clock"
"~@aio"
"~@chown"
"~@cpu-emulation"
"~@debug"
"~@keyring"
"~@memlock"
"~@module"
"~@mount"
"~@obsolete"
"~@privileged"
"~@raw-io"
"~@reboot"
"~@setuid"
"~@swap"
];
SystemCallErrorNumber = lib.mkForce "EPERM";
};
};
}
|
