pyrox.dev
1{ config, pkgs, lib, ... }:
2
3with lib;
4let
5 cfg = config.services.jellyseerr;
6in
7{
8 meta.maintainers = [ maintainers.camillemndn ];
9
10 options.services.jellyseerr = {
11 enable = mkEnableOption (mdDoc ''Jellyseerr, a requests manager for Jellyfin'');
12
13 openFirewall = mkOption {
14 type = types.bool;
15 default = false;
16 description = mdDoc ''Open port in the firewall for the Jellyseerr web interface.'';
17 };
18
19 port = mkOption {
20 type = types.port;
21 default = 5055;
22 description = mdDoc ''The port which the Jellyseerr web UI should listen to.'';
23 };
24 };
25
26 config = mkIf cfg.enable {
27 systemd.services.jellyseerr = {
28 description = "Jellyseerr, a requests manager for Jellyfin";
29 after = [ "network.target" ];
30 wantedBy = [ "multi-user.target" ];
31 environment.PORT = toString cfg.port;
32 serviceConfig = {
33 Type = "exec";
34 StateDirectory = "jellyseerr";
35 WorkingDirectory = "${pkgs.jellyseerr}/libexec/jellyseerr/deps/jellyseerr";
36 DynamicUser = true;
37 ExecStart = "${pkgs.jellyseerr}/bin/jellyseerr";
38 BindPaths = [ "/var/lib/jellyseerr/:${pkgs.jellyseerr}/libexec/jellyseerr/deps/jellyseerr/config/" ];
39 Restart = "on-failure";
40 ProtectHome = true;
41 ProtectSystem = "strict";
42 PrivateTmp = true;
43 PrivateDevices = true;
44 ProtectHostname = true;
45 ProtectClock = true;
46 ProtectKernelTunables = true;
47 ProtectKernelModules = true;
48 ProtectKernelLogs = true;
49 ProtectControlGroups = true;
50 NoNewPrivileges = true;
51 RestrictRealtime = true;
52 RestrictSUIDSGID = true;
53 RemoveIPC = true;
54 PrivateMounts = true;
55 };
56 };
57
58 networking.firewall = mkIf cfg.openFirewall {
59 allowedTCPPorts = [ cfg.port ];
60 };
61 };
62}