Merge pull request #175439 from Mic92/jellyfin

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/jellyfin: better defaults for hardware acceleration

authored by

Jörg Thalheim and committed by

GitHub 3 years ago 9a020f31 d8556e04

+36 -31

1 changed file

expand all

nixos

modules

services

misc

jellyfin.nix

+36 -31

nixos/modules/services/misc/jellyfin.nix

··· 49 49 after = [ "network.target" ]; 50 50 wantedBy = [ "multi-user.target" ]; 51 51 52 + # This is mostly follows: https://github.com/jellyfin/jellyfin/blob/master/fedora/jellyfin.service 53 + # Upstream also disable some hardenings when running in LXC, we do the same with the isContainer option 52 54 serviceConfig = rec { 55 + Type = "simple"; 53 56 User = cfg.user; 54 57 Group = cfg.group; 55 58 StateDirectory = "jellyfin"; ··· 57 60 CacheDirectory = "jellyfin"; 58 61 CacheDirectoryMode = "0700"; 59 62 UMask = "0077"; 63 + WorkingDirectory = "/var/lib/jellyfin"; 60 64 ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; 61 65 Restart = "on-failure"; 66 + TimeoutSec = 15; 67 + SuccessExitStatus = ["0" "143"]; 62 68 63 69 # Security options: 64 - 65 70 NoNewPrivileges = true; 66 - 67 - AmbientCapabilities = ""; 68 - CapabilityBoundingSet = ""; 69 - 70 - # ProtectClock= adds DeviceAllow=char-rtc r 71 - DeviceAllow = ""; 72 - 71 + SystemCallArchitectures = "native"; 72 + # AF_NETLINK needed because Jellyfin monitors the network connection 73 + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ]; 74 + RestrictNamespaces = !config.boot.isContainer; 75 + RestrictRealtime = true; 76 + RestrictSUIDSGID = true; 77 + ProtectControlGroups = !config.boot.isContainer; 78 + ProtectHostname = true; 79 + ProtectKernelLogs = !config.boot.isContainer; 80 + ProtectKernelModules = !config.boot.isContainer; 81 + ProtectKernelTunables = !config.boot.isContainer; 73 82 LockPersonality = true; 74 - 75 - PrivateTmp = true; 76 - # Disabled to allow Jellyfin to access hw accel devices endpoints 77 - # PrivateDevices = true; 83 + PrivateTmp = !config.boot.isContainer; 84 + # needed for hardware accelaration 85 + PrivateDevices = false; 78 86 PrivateUsers = true; 79 - 80 - # Disabled as it does not allow Jellyfin to interface with CUDA devices 81 - # ProtectClock = true; 82 - ProtectControlGroups = true; 83 - ProtectHostname = true; 84 - ProtectKernelLogs = true; 85 - ProtectKernelModules = true; 86 - ProtectKernelTunables = true; 87 - 88 87 RemoveIPC = true; 89 88 90 - RestrictNamespaces = true; 91 - # AF_NETLINK needed because Jellyfin monitors the network connection 92 - RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ]; 93 - RestrictRealtime = true; 94 - RestrictSUIDSGID = true; 95 - 96 - SystemCallArchitectures = "native"; 97 - SystemCallErrorNumber = "EPERM"; 98 89 SystemCallFilter = [ 99 - "@system-service" 100 - "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" 90 + "~@clock" 91 + "~@aio" 92 + "~@chown" 93 + "~@cpu-emulation" 94 + "~@debug" 95 + "~@keyring" 96 + "~@memlock" 97 + "~@module" 98 + "~@mount" 99 + "~@obsolete" 100 + "~@privileged" 101 + "~@raw-io" 102 + "~@reboot" 103 + "~@setuid" 104 + "~@swap" 101 105 ]; 106 + SystemCallErrorNumber = "EPERM"; 102 107 }; 103 108 }; 104 109