jellyfin: Prefer fMP4-HLS Media Container for all users

2026-04-16 01:11:59 -04:00
parent 55fda4b5ee
commit 735603deb8
5 changed files with 241 additions and 0 deletions
--- a/services/jellyfin/jellyfin-set-defaults.nix
+++ b/services/jellyfin/jellyfin-set-defaults.nix
@@ -0,0 +1,47 @@
+{
+  pkgs,
+  config,
+  service_configs,
+  lib,
+  ...
+}:
+lib.mkIf config.services.jellyfin.enable {
+  systemd.services."jellyfin-set-defaults" = {
+    description = "Enforce default Jellyfin user preferences (fMP4-HLS)";
+    after = [ "jellyfin.service" ];
+    requires = [ "jellyfin.service" ];
+
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.python3}/bin/python ${./jellyfin-set-defaults.py}";
+
+      # Security hardening
+      DynamicUser = true;
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      MemoryDenyWriteExecute = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      RemoveIPC = true;
+
+      LoadCredential = "jellyfin-api-key:${config.age.secrets.jellyfin-api-key.path}";
+    };
+
+    environment = {
+      JELLYFIN_URL = "http://127.0.0.1:${toString service_configs.ports.private.jellyfin.port}";
+    };
+  };
+
+  # Run at boot and daily to catch newly created users
+  systemd.timers."jellyfin-set-defaults" = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec = "2min";
+      OnUnitActiveSec = "1d";
+    };
+  };
+}