pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #293118 from xyven1/harden-plex-service

nixos/plex: Harden plex service

Peder Bergebakken Sundt 087055ed 6eca1ac4

options
unified split
Changed files
+29
nixos
modules
services
misc
plex.nix
+29
nixos/modules/services/misc/plex.nix 
···

       
93

       
 

       
        '';


     

       
94

       
 

       
      };


     

       
95

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
96

       
 

       
      package = mkPackageOption pkgs "plex" {


     

       
97

       
 

       
        extraDescription = ''


     

       
98

       
 

       
          Plex subscribers may wish to use their own package here,


     
···

       
133

       
 

       
        KillSignal = "SIGQUIT";


     

       
134

       
 

       
        PIDFile = "${cfg.dataDir}/Plex Media Server/plexmediaserver.pid";


     

       
135

       
 

       
        Restart = "on-failure";


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
136

       
 

       
      };


     

       
137

       
 

       



     

       
138

       
 

       
      environment = {


     
···

       
93

       
 

       
        '';


     

       
94

       
 

       
      };


     

       
95

       
 

       



     

       
96

       
+

       
      accelerationDevices = mkOption {


     

       
97

       
+

       
        type = types.listOf types.str;


     

       
98

       
+

       
        default = ["*"];


     

       
99

       
+

       
        example = [ "/dev/dri/renderD128" ];


     

       
100

       
+

       
        description = ''


     

       
101

       
+

       
          A list of device paths to hardware acceleration devices that Plex should


     

       
102

       
+

       
          have access to. This is useful when transcoding media files.


     

       
103

       
+

       
          The special value `"*"` will allow all devices.


     

       
104

       
+

       
        '';


     

       
105

       
+

       
      };


     

       
106

       
+

       



     

       
107

       
 

       
      package = mkPackageOption pkgs "plex" {


     

       
108

       
 

       
        extraDescription = ''


     

       
109

       
 

       
          Plex subscribers may wish to use their own package here,


     
···

       
144

       
 

       
        KillSignal = "SIGQUIT";


     

       
145

       
 

       
        PIDFile = "${cfg.dataDir}/Plex Media Server/plexmediaserver.pid";


     

       
146

       
 

       
        Restart = "on-failure";


     

       
147

       
+

       



     

       
148

       
+

       
        # Hardening


     

       
149

       
+

       
        NoNewPrivileges = true;


     

       
150

       
+

       
        PrivateTmp = true;


     

       
151

       
+

       
        PrivateDevices = cfg.accelerationDevices == [];


     

       
152

       
+

       
        DeviceAllow = mkIf (cfg.accelerationDevices != [] && !lib.elem "*" cfg.accelerationDevices) cfg.accelerationDevices;


     

       
153

       
+

       
        ProtectSystem = true;


     

       
154

       
+

       
        ProtectHome = true;


     

       
155

       
+

       
        ProtectControlGroups = true;


     

       
156

       
+

       
        ProtectKernelModules = true;


     

       
157

       
+

       
        ProtectKernelTunables = true;


     

       
158

       
+

       
        RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK"];


     

       
159

       
+

       
        # This could be made to work if the namespaces needed were known


     

       
160

       
+

       
        # RestrictNamespaces = true;


     

       
161

       
+

       
        RestrictRealtime = true;


     

       
162

       
+

       
        RestrictSUIDSGID = true;


     

       
163

       
+

       
        MemoryDenyWriteExecute = true;


     

       
164

       
+

       
        LockPersonality = true;


     

       
165

       
 

       
      };


     

       
166

       
 

       



     

       
167

       
 

       
      environment = {