ma home: add 3dprint, update jellyfin and music

This commit is contained in:
makefu 2022-09-23 23:43:58 +02:00
parent 11a4bf085e
commit 3f0a2bd74c
3 changed files with 106 additions and 9 deletions

45
2configs/home/3dprint.nix Normal file
View file

@ -0,0 +1,45 @@
{ pkgs, ... }:
{
services.mjpg-streamer = {
enable = true;
inputPlugin = "input_uvc.so -d /dev/web_cam -r 1280x960";
};
users.users.octoprint.extraGroups = [ "video" ];
# allow octoprint to access /dev/vchiq
# also ensure that the webcam always comes up under the same name
services.udev.extraRules = ''
SUBSYSTEM=="vchiq",GROUP="video",MODE="0660"
SUBSYSTEM=="video4linux", ATTR{name}=="UVC Camera (046d:0825)",SYMLINK+="web_cam", MODE="0666", GROUP="video"
'';
systemd.services.octoprint = {
path = [ pkgs.libraspberrypi ];
};
services.octoprint = {
enable = true;
plugins = plugins: with plugins;[
costestimation
displayprogress
mqtt
stlviewer
themeify
# octolapse
(buildPlugin rec {
pname = "OctoPrint-HomeAssistant";
version = "3.6.2";
src = pkgs.fetchFromGitHub {
owner = "cmroche";
repo = pname;
rev = version;
hash = "sha256-oo9OBmHoJFNGK7u9cVouMuBuUcUxRUrY0ppRq0OS1ro=";
};
})
];
extraConfig.plugins.mqtt.broker = {
url = "omo.lan";
# TODO TODO TODO
username = "hass";
password = "lksue43jrf";
# TODO TODO TODO
};
};
}

View file

@ -2,9 +2,65 @@
{
services.jellyfin.enable = true;
services.jellyfin.openFirewall = true;
#users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ];
state = [ "/var/lib/jellyfin" ];
systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false;
systemd.services.jellyfin.serviceConfig.DeviceAllow = lib.mkForce ["char-drm rwm" "char-nvidia-frontend" "char-nvidia-uvm"];
systemd.services.jellyfin.serviceConfig.SupplementaryGroups = [ "video" "render" "download" ];
users.users.${config.services.jellyfin.user}.extraGroups = [ "download" "video" "render" ];
systemd.services.jellyfin = {
after = [ "media-cloud.mount" ];
serviceConfig = rec {
SupplementaryGroups = lib.mkForce [ "video" "render" "download" ];
UMask = lib.mkForce "0077";
Type = lib.mkForce "simple";
StateDirectory = lib.mkForce "jellyfin";
StateDirectoryMode = lib.mkForce "0700";
CacheDirectory = lib.mkForce "jellyfin";
CacheDirectoryMode = lib.mkForce "0700";
WorkingDirectory = lib.mkForce "/var/lib/jellyfin";
Restart = lib.mkForce "on-failure";
TimeoutSec = lib.mkForce 15;
SuccessExitStatus = lib.mkForce ["0" "143"];
# Security options:
NoNewPrivileges = lib.mkForce true;
SystemCallArchitectures = lib.mkForce "native";
# AF_NETLINK needed because Jellyfin monitors the network connection
RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
RestrictNamespaces = lib.mkForce false;
RestrictRealtime = lib.mkForce true;
RestrictSUIDSGID = lib.mkForce true;
ProtectControlGroups = lib.mkForce false;
ProtectHostname = lib.mkForce true;
ProtectKernelLogs = lib.mkForce false;
ProtectKernelModules = lib.mkForce false;
ProtectKernelTunables = lib.mkForce false;
LockPersonality = lib.mkForce true;
PrivateTmp = lib.mkForce false;
# needed for hardware accelaration
PrivateDevices = lib.mkForce false;
PrivateUsers = lib.mkForce true;
RemoveIPC = lib.mkForce true;
SystemCallFilter = lib.mkForce [
"~@clock"
"~@aio"
"~@chown"
"~@cpu-emulation"
"~@debug"
"~@keyring"
"~@memlock"
"~@module"
"~@mount"
"~@obsolete"
"~@privileged"
"~@raw-io"
"~@reboot"
"~@setuid"
"~@swap"
];
SystemCallErrorNumber = lib.mkForce "EPERM";
};
};
}

View file

@ -22,10 +22,6 @@ in
locations."/".proxyPass = "http://localhost:${toString port}";
locations."/".proxyWebsockets = true;
extraConfig = ''
if ( $server_addr != "${internal-ip}" ) {
return 403;
}
'';
};
networking.firewall.allowedTCPPorts = [ port ];
}