diff options
Diffstat (limited to 'nixos/modules/services/misc/jellyfin.nix')
-rw-r--r-- | nixos/modules/services/misc/jellyfin.nix | 60 |
1 files changed, 55 insertions, 5 deletions
diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index 0493dadea94..6d64acc0291 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -18,6 +18,7 @@ in package = mkOption { type = types.package; + default = pkgs.jellyfin; example = literalExample "pkgs.jellyfin"; description = '' Jellyfin package to use. @@ -29,6 +30,16 @@ in default = "jellyfin"; description = "Group under which jellyfin runs."; }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open the default ports in the firewall for the media server. The + HTTP/HTTPS ports can be changed in the Web UI, so this option should + only be used if they are unchanged. + ''; + }; }; }; @@ -45,14 +56,47 @@ in CacheDirectory = "jellyfin"; ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; Restart = "on-failure"; + + # Security options: + + NoNewPrivileges = true; + + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + + LockPersonality = true; + + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + + RemoveIPC = true; + + RestrictNamespaces = true; + # AF_NETLINK needed because Jellyfin monitors the network connection + RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ]; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" + ]; }; }; - services.jellyfin.package = mkDefault ( - if versionAtLeast config.system.stateVersion "20.09" then pkgs.jellyfin - else pkgs.jellyfin_10_5 - ); - users.users = mkIf (cfg.user == "jellyfin") { jellyfin = { group = cfg.group; @@ -64,6 +108,12 @@ in jellyfin = {}; }; + networking.firewall = mkIf cfg.openFirewall { + # from https://jellyfin.org/docs/general/networking/index.html + allowedTCPPorts = [ 8096 8920 ]; + allowedUDPPorts = [ 1900 7359 ]; + }; + }; meta.maintainers = with lib.maintainers; [ minijackson ]; |