limit jellyfin cpu & memory usage

roles/jellyfin/files/jellyfin.service.conf

@@ -0,0 +1,60 @@
+# Jellyfin systemd configuration options
+
+# Use this file to override the user or environment file location.
+
+[Service]
+# Alter the user that Jellyfin runs as
+User = jellyfin
+
+# Alter where environment variables are sourced from
+#EnvironmentFile = /etc/default/jellyfin
+
+# These *should* prevent Jellyfin from fully consuming my Pi's resources
+CPUQuota=300%
+MemoryHigh=60%
+MemoryMax=75%
+
+# Service hardening options
+# These were added in PR #6953 to solve issue #6952, but some combination of
+# them causes "restart.sh" functionality to break with the following error:
+#   sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the
+#   'nosuid' option set or an NFS file system without root privileges?
+# See issue #7503 for details on the troubleshooting that went into this.
+# Since these were added for NixOS specifically and are above and beyond
+# what 99% of systemd units do, they have been moved here as optional
+# additional flags to set for maximum system security and can be enabled at
+# the administrator's or package maintainer's discretion.
+# Uncomment these only if you know what you're doing, and doing so may cause
+# bugs with in-server Restart and potentially other functionality as well.
+#NoNewPrivileges=true
+#SystemCallArchitectures=native
+#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+#RestrictNamespaces=false
+#RestrictRealtime=true
+#RestrictSUIDSGID=true
+#ProtectControlGroups=false
+#ProtectHostname=true
+#ProtectKernelLogs=false
+#ProtectKernelModules=false
+#ProtectKernelTunables=false
+#LockPersonality=true
+#PrivateTmp=false
+#PrivateDevices=false
+#PrivateUsers=true
+#RemoveIPC=true
+#SystemCallFilter=~@clock
+#SystemCallFilter=~@aio
+#SystemCallFilter=~@chown
+#SystemCallFilter=~@cpu-emulation
+#SystemCallFilter=~@debug
+#SystemCallFilter=~@keyring
+#SystemCallFilter=~@memlock
+#SystemCallFilter=~@module
+#SystemCallFilter=~@mount
+#SystemCallFilter=~@obsolete
+#SystemCallFilter=~@privileged
+#SystemCallFilter=~@raw-io
+#SystemCallFilter=~@reboot
+#SystemCallFilter=~@setuid
+#SystemCallFilter=~@swap
+#SystemCallErrorNumber=EPERM

roles/jellyfin/handlers/main.yml

@@ -1,4 +1,8 @@
 ---
+- name: daemon-reload
+  systemd:
+    daemon_reload: true
+
 - name: restart-jellyfin
   service:
     name: jellyfin

roles/jellyfin/tasks/main.yml

@@ -14,6 +14,17 @@
     name: jellyfin
     state: present
 
+- name: Copy over service file
+  copy:
+    src: jellyfin.service.conf
+    dest: '/etc/systemd/system/jellyfin.service.d/jellyfin.service.conf'
+    owner: root
+    group: root
+    mode: '644'
+  notify: 
+    - daemon-reload
+    - restart-jellyfin
+
 - name: Copy over Environment file
   copy:
     src: jellyfin-defaults

roles/samba/files/smb.conf

@@ -245,3 +245,9 @@
   browseable = no
   writeable = yes
   guest ok = no
+
+[jellyfin-libraries]
+  path = /mnt/data1/jellyfin/libraries
+  browseable = no
+  writeable = yes
+  guest ok = no