diff --git a/roles/jellyfin/files/jellyfin.service.conf b/roles/jellyfin/files/jellyfin.service.conf new file mode 100644 index 0000000..0367a9e --- /dev/null +++ b/roles/jellyfin/files/jellyfin.service.conf @@ -0,0 +1,60 @@ +# Jellyfin systemd configuration options + +# Use this file to override the user or environment file location. + +[Service] +# Alter the user that Jellyfin runs as +User = jellyfin + +# Alter where environment variables are sourced from +#EnvironmentFile = /etc/default/jellyfin + +# These *should* prevent Jellyfin from fully consuming my Pi's resources +CPUQuota=300% +MemoryHigh=60% +MemoryMax=75% + +# Service hardening options +# These were added in PR #6953 to solve issue #6952, but some combination of +# them causes "restart.sh" functionality to break with the following error: +# sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the +# 'nosuid' option set or an NFS file system without root privileges? +# See issue #7503 for details on the troubleshooting that went into this. +# Since these were added for NixOS specifically and are above and beyond +# what 99% of systemd units do, they have been moved here as optional +# additional flags to set for maximum system security and can be enabled at +# the administrator's or package maintainer's discretion. +# Uncomment these only if you know what you're doing, and doing so may cause +# bugs with in-server Restart and potentially other functionality as well. +#NoNewPrivileges=true +#SystemCallArchitectures=native +#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +#RestrictNamespaces=false +#RestrictRealtime=true +#RestrictSUIDSGID=true +#ProtectControlGroups=false +#ProtectHostname=true +#ProtectKernelLogs=false +#ProtectKernelModules=false +#ProtectKernelTunables=false +#LockPersonality=true +#PrivateTmp=false +#PrivateDevices=false +#PrivateUsers=true +#RemoveIPC=true +#SystemCallFilter=~@clock +#SystemCallFilter=~@aio +#SystemCallFilter=~@chown +#SystemCallFilter=~@cpu-emulation +#SystemCallFilter=~@debug +#SystemCallFilter=~@keyring +#SystemCallFilter=~@memlock +#SystemCallFilter=~@module +#SystemCallFilter=~@mount +#SystemCallFilter=~@obsolete +#SystemCallFilter=~@privileged +#SystemCallFilter=~@raw-io +#SystemCallFilter=~@reboot +#SystemCallFilter=~@setuid +#SystemCallFilter=~@swap +#SystemCallErrorNumber=EPERM diff --git a/roles/jellyfin/handlers/main.yml b/roles/jellyfin/handlers/main.yml index 048ea0c..8573d40 100644 --- a/roles/jellyfin/handlers/main.yml +++ b/roles/jellyfin/handlers/main.yml @@ -1,4 +1,8 @@ --- +- name: daemon-reload + systemd: + daemon_reload: true + - name: restart-jellyfin service: name: jellyfin diff --git a/roles/jellyfin/tasks/main.yml b/roles/jellyfin/tasks/main.yml index 0b1cc73..bea451e 100644 --- a/roles/jellyfin/tasks/main.yml +++ b/roles/jellyfin/tasks/main.yml @@ -14,6 +14,17 @@ name: jellyfin state: present +- name: Copy over service file + copy: + src: jellyfin.service.conf + dest: '/etc/systemd/system/jellyfin.service.d/jellyfin.service.conf' + owner: root + group: root + mode: '644' + notify: + - daemon-reload + - restart-jellyfin + - name: Copy over Environment file copy: src: jellyfin-defaults diff --git a/roles/samba/files/smb.conf b/roles/samba/files/smb.conf index 5b0d53d..3b9ff1f 100644 --- a/roles/samba/files/smb.conf +++ b/roles/samba/files/smb.conf @@ -245,3 +245,9 @@ browseable = no writeable = yes guest ok = no + +[jellyfin-libraries] + path = /mnt/data1/jellyfin/libraries + browseable = no + writeable = yes + guest ok = no