pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / misc / jellyseerr.nix
at 25.11-pre 1.9 kB view raw
1{ 2 config, 3 pkgs, 4 lib, 5 ... 6}: 7let 8 cfg = config.services.jellyseerr; 9in 10{ 11 meta.maintainers = [ lib.maintainers.camillemndn ]; 12 13 options.services.jellyseerr = { 14 enable = lib.mkEnableOption ''Jellyseerr, a requests manager for Jellyfin''; 15 package = lib.mkPackageOption pkgs "jellyseerr" { }; 16 17 openFirewall = lib.mkOption { 18 type = lib.types.bool; 19 default = false; 20 description = ''Open port in the firewall for the Jellyseerr web interface.''; 21 }; 22 23 port = lib.mkOption { 24 type = lib.types.port; 25 default = 5055; 26 description = ''The port which the Jellyseerr web UI should listen to.''; 27 }; 28 29 configDir = lib.mkOption { 30 type = lib.types.path; 31 default = "/var/lib/jellyseerr/config"; 32 description = "Config data directory"; 33 }; 34 }; 35 36 config = lib.mkIf cfg.enable { 37 systemd.services.jellyseerr = { 38 description = "Jellyseerr, a requests manager for Jellyfin"; 39 after = [ "network.target" ]; 40 wantedBy = [ "multi-user.target" ]; 41 environment = { 42 PORT = toString cfg.port; 43 CONFIG_DIRECTORY = cfg.configDir; 44 }; 45 serviceConfig = { 46 Type = "exec"; 47 StateDirectory = "jellyseerr"; 48 DynamicUser = true; 49 ExecStart = lib.getExe cfg.package; 50 Restart = "on-failure"; 51 ProtectHome = true; 52 ProtectSystem = "strict"; 53 PrivateTmp = true; 54 PrivateDevices = true; 55 ProtectHostname = true; 56 ProtectClock = true; 57 ProtectKernelTunables = true; 58 ProtectKernelModules = true; 59 ProtectKernelLogs = true; 60 ProtectControlGroups = true; 61 NoNewPrivileges = true; 62 RestrictRealtime = true; 63 RestrictSUIDSGID = true; 64 RemoveIPC = true; 65 PrivateMounts = true; 66 }; 67 }; 68 69 networking.firewall = lib.mkIf cfg.openFirewall { 70 allowedTCPPorts = [ cfg.port ]; 71 }; 72 }; 73}