62 lines
1.8 KiB
Nix
62 lines
1.8 KiB
Nix
{ lib, pkgs, ... }:
|
|
|
|
let
|
|
rar2fs = pkgs.rar2fs.override { unrar = pkgs.unrar_6; };
|
|
rar2fs_mounts = pkgs.writeScriptBin "rar2fs_mounts" (lib.strings.concatLines [
|
|
"#!${pkgs.python3}/bin/python"
|
|
(builtins.readFile ./rar2fs_mounts.py)
|
|
]);
|
|
rar_path = "/var/lib/qBittorrent/downloads";
|
|
mount_path = "/run/jellyfin/rar2fs";
|
|
in
|
|
{
|
|
programs.fuse = {
|
|
userAllowOther = true;
|
|
mountMax = 1000;
|
|
};
|
|
|
|
environment.systemPackages = [
|
|
rar2fs
|
|
];
|
|
|
|
systemd.services.jellyfin-rar2fs = {
|
|
after = [ "jellyfin.service" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
path = [ rar2fs "/run/wrappers/bin" ];
|
|
environment.USER = "jellyfin";
|
|
serviceConfig = {
|
|
AmbientCapabilities = "CAP_SYS_ADMIN CAP_SETUID CAP_SETGID";
|
|
CapabilityBoundingSet = "CAP_SYS_ADMIN CAP_SETUID CAP_SETGID";
|
|
DeviceAllow = "/dev/fuse rw";
|
|
ExecStart = "${rar2fs_mounts}/bin/rar2fs_mounts ${rar_path} ${mount_path}";
|
|
Group = "jellyfin";
|
|
IPAddressDeny = "any";
|
|
LockPersonality = true;
|
|
NoNewPrivileges = "no";
|
|
PrivateDevices = false;
|
|
PrivateMounts = false;
|
|
PrivateTmp = false;
|
|
PrivateUsers = false;
|
|
ProtectClock = true;
|
|
ProtectControlGroups = false; # implies MountAPIVFS
|
|
ProtectHome = false;
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = false;
|
|
ProtectKernelModules = false;
|
|
ProtectKernelTunables = false; # implies MountAPIVFS
|
|
#ProtectProc = "noaccess"; # implies MountAPIVFS
|
|
ProtectSystem = false;
|
|
RestrictAddressFamilies = "none";
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
"@mount"
|
|
"@setuid"
|
|
"umount2"
|
|
];
|
|
User = "jellyfin";
|
|
};
|
|
};
|
|
}
|