encode42.dev / nixos
Personal-use NixOS configuration
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge Emby flake

encode42 513115c1 d23ebb46

+298 -58
+6 -5
config/server/media/emby.nix
··· 2 2 hosts ? [ ], 3 3 }: 4 4 5 - { lib, flakeLib, emby-flake, ... }: 5 + { lib, flakeLib, ... }: 6 6 7 7 { 8 8 services.emby = { 9 9 enable = true; 10 - 11 - package = emby-flake.packages.x86_64-linux.default; 12 10 }; 13 11 14 12 systemd.services.emby = { ··· 20 18 serviceConfig = { 21 19 StateDirectory = "emby"; 22 20 23 - DeviceAllow = [ "/dev/dri/card0" "/dev/dri/renderD128" ]; 21 + DeviceAllow = [ 22 + "/dev/dri/card0" 23 + "/dev/dri/renderD128" 24 + ]; 24 25 25 - SystemCallFilter = lib.mkForce []; 26 + SystemCallFilter = lib.mkForce [ ]; 26 27 27 28 }; 28 29 };
+6 -46
flake.lock
··· 52 52 "type": "github" 53 53 } 54 54 }, 55 - "emby-flake": { 56 - "inputs": { 57 - "nixpkgs": "nixpkgs" 58 - }, 59 - "locked": { 60 - "lastModified": 1764703790, 61 - "narHash": "sha256-9erPRLonqysossQbTD/IHILUya2pIeDg5rtUNNw9Zh4=", 62 - "owner": "encode42", 63 - "repo": "emby-server-flake", 64 - "rev": "292d8bf4199d92079cd1927c44033e50f4477e8d", 65 - "type": "github" 66 - }, 67 - "original": { 68 - "owner": "encode42", 69 - "repo": "emby-server-flake", 70 - "type": "github" 71 - } 72 - }, 73 - "firefox-addons": { 74 - "inputs": { 75 - "nixpkgs": [ 76 - "nixpkgs" 77 - ] 78 - }, 79 - "locked": { 80 - "dir": "pkgs/firefox-addons", 81 - "lastModified": 1772656028, 82 - "narHash": "sha256-aIKNEfH6pOB5K6b5pATJLndNAyRX1l28DPwq7KumDsw=", 83 - "owner": "rycee", 84 - "repo": "nur-expressions", 85 - "rev": "76c2e5599604532644ad1d1c64c2385a4676f2d5", 86 - "type": "gitlab" 87 - }, 88 - "original": { 89 - "dir": "pkgs/firefox-addons", 90 - "owner": "rycee", 91 - "repo": "nur-expressions", 92 - "type": "gitlab" 93 - } 94 - }, 95 55 "flake-compat": { 96 56 "flake": false, 97 57 "locked": { ··· 696 656 "sqlite-lib-src": "sqlite-lib-src" 697 657 }, 698 658 "locked": { 699 - "lastModified": 1772647996, 700 - "narHash": "sha256-SsFWAbGvYhXG0zrDlZewSlO5sq2riuj7+j0+SAZW7VM=", 659 + "lastModified": 1772710663, 660 + "narHash": "sha256-DoiqADcD2Z5NscMHPZ7a/RX1+VTexHN68P4WL6eAG04=", 701 661 "ref": "refs/heads/master", 702 - "rev": "d0acfc930f3d0ca8f918cdc443d0278dcdc7e0d0", 703 - "revCount": 2012, 662 + "rev": "e326cc53ad4e9123552bdf20a192aff6ca1eb135", 663 + "revCount": 2019, 704 664 "type": "git", 705 - "url": "https://tangled.org/@tangled.org/core" 665 + "url": "https://tangled.org/tangled.org/core" 706 666 }, 707 667 "original": { 708 668 "type": "git", 709 - "url": "https://tangled.org/@tangled.org/core" 669 + "url": "https://tangled.org/tangled.org/core" 710 670 } 711 671 }, 712 672 "vpn-confinement": {
+1 -5
flake.nix
··· 54 54 # Server modules 55 55 vpn-confinement.url = "github:Maroka-chan/VPN-Confinement"; 56 56 57 - emby-flake = { 58 - url = "github:encode42/emby-server-flake"; 59 - }; 60 - 61 57 tangled = { 62 - url = "git+https://tangled.org/@tangled.org/core"; 58 + url = "git+https://tangled.org/tangled.org/core"; 63 59 64 60 inputs.nixpkgs.follows = "nixpkgs"; 65 61 };
-1
lib/mkSystem.nix
··· 71 71 home-manager = inputs.home-manager; 72 72 firefox-addons = inputs.firefox-addons; 73 73 nixcord = inputs.nixcord; 74 - emby-flake = inputs.emby-flake; 75 74 }; 76 75 }
+1
modules/default.nix
··· 1 1 { 2 2 byparr = ./byparr.nix; 3 3 cells = ./cells.nix; 4 + emby-server = ./emby-server.nix; 4 5 network-optimizer = ./network-optimizer.nix; 5 6 omnipoly = ./omnipoly.nix; 6 7 }
+175
modules/emby-server.nix
··· 1 + # based on https://github.com/tofu-salad/emby-server-flake/tree/a8c30e4160ee9c06ff1e875cd08dfd952868a5fb 2 + 3 + { 4 + config, 5 + pkgs, 6 + lib, 7 + ... 8 + }: 9 + 10 + let 11 + pkgs-internal = import ../packages { inherit pkgs; }; 12 + 13 + inherit (lib) 14 + mkIf 15 + getExe 16 + mkEnableOption 17 + mkOption 18 + ; 19 + 20 + inherit (lib.types) 21 + str 22 + path 23 + bool 24 + package 25 + ; 26 + cfg = config.services.emby; 27 + in 28 + { 29 + options = { 30 + services.emby = { 31 + enable = mkEnableOption "Emby Media Server"; 32 + 33 + package = mkOption { 34 + type = package; 35 + default = pkgs-internal.emby-server; 36 + description = "The Emby package to use."; 37 + }; 38 + 39 + user = mkOption { 40 + type = str; 41 + default = "emby"; 42 + description = "User account under which Emby runs."; 43 + }; 44 + 45 + group = mkOption { 46 + type = str; 47 + default = "emby"; 48 + description = "Group under which Emby runs."; 49 + }; 50 + 51 + dataDir = mkOption { 52 + type = path; 53 + default = "/var/lib/emby"; 54 + description = '' 55 + Base data directory where Emby stores its program data. 56 + This is passed to Emby with the `-programdata` flag. 57 + ''; 58 + }; 59 + 60 + openFirewall = mkOption { 61 + type = bool; 62 + default = false; 63 + description = '' 64 + Open the default ports in the firewall for the media server. 65 + Opens port 8096 (HTTP) and 8920 (HTTPS). 66 + ''; 67 + }; 68 + }; 69 + }; 70 + 71 + config = mkIf cfg.enable { 72 + systemd = { 73 + tmpfiles.settings.embyDirs = { 74 + "${cfg.dataDir}"."d" = { 75 + mode = "700"; 76 + inherit (cfg) user group; 77 + }; 78 + # Emby creates subdirectories automatically, but we ensure the base exists 79 + "${cfg.dataDir}/plugins"."d" = { 80 + mode = "755"; 81 + inherit (cfg) user group; 82 + }; 83 + "${cfg.dataDir}/logs"."d" = { 84 + mode = "755"; 85 + inherit (cfg) user group; 86 + }; 87 + }; 88 + 89 + services.emby = { 90 + description = "Emby Media Server"; 91 + after = [ "network-online.target" ]; 92 + wants = [ "network-online.target" ]; 93 + wantedBy = [ "multi-user.target" ]; 94 + 95 + serviceConfig = { 96 + Type = "simple"; 97 + User = cfg.user; 98 + Group = cfg.group; 99 + UMask = "0077"; 100 + WorkingDirectory = cfg.dataDir; 101 + ExecStart = "${getExe cfg.package} -programdata '${cfg.dataDir}'"; 102 + Restart = "on-failure"; 103 + TimeoutSec = 15; 104 + SuccessExitStatus = [ 105 + "0" 106 + "143" 107 + ]; 108 + 109 + # Security options (adapted from Jellyfin module): 110 + NoNewPrivileges = true; 111 + SystemCallArchitectures = "native"; 112 + # AF_NETLINK needed because Emby monitors the network connection 113 + RestrictAddressFamilies = [ 114 + "AF_UNIX" 115 + "AF_INET" 116 + "AF_INET6" 117 + "AF_NETLINK" 118 + ]; 119 + RestrictNamespaces = !config.boot.isContainer; 120 + RestrictRealtime = true; 121 + RestrictSUIDSGID = true; 122 + ProtectControlGroups = !config.boot.isContainer; 123 + ProtectHostname = true; 124 + ProtectKernelLogs = !config.boot.isContainer; 125 + ProtectKernelModules = !config.boot.isContainer; 126 + ProtectKernelTunables = !config.boot.isContainer; 127 + LockPersonality = true; 128 + PrivateTmp = !config.boot.isContainer; 129 + # needed for hardware acceleration 130 + PrivateDevices = false; 131 + PrivateUsers = true; 132 + RemoveIPC = true; 133 + 134 + SystemCallFilter = [ 135 + "~@clock" 136 + "~@aio" 137 + "~@chown" 138 + "~@cpu-emulation" 139 + "~@debug" 140 + "~@keyring" 141 + "~@memlock" 142 + "~@module" 143 + "~@mount" 144 + "~@obsolete" 145 + "~@privileged" 146 + "~@raw-io" 147 + "~@reboot" 148 + "~@setuid" 149 + "~@swap" 150 + ]; 151 + SystemCallErrorNumber = "EPERM"; 152 + }; 153 + }; 154 + }; 155 + 156 + users.users = mkIf (cfg.user == "emby") { 157 + emby = { 158 + inherit (cfg) group; 159 + isSystemUser = true; 160 + }; 161 + }; 162 + 163 + users.groups = mkIf (cfg.group == "emby") { 164 + emby = { }; 165 + }; 166 + 167 + networking.firewall = mkIf cfg.openFirewall { 168 + # Emby default ports 169 + allowedTCPPorts = [ 170 + 8096 # HTTP 171 + 8920 # HTTPS 172 + ]; 173 + }; 174 + }; 175 + }
-1
outputs.nix
··· 57 57 58 58 extraModules = [ 59 59 inputs.vpn-confinement.nixosModules.default 60 - inputs.emby-flake.nixosModules.default 61 60 inputs.tangled.nixosModules.knot 62 61 inputs.tangled.nixosModules.spindle 63 62 ];
+1
packages/default.nix
··· 14 14 cells-client = pkgs.callPackage ./cells-client { }; 15 15 cells-sync = pkgs.callPackage ./cells-sync { }; 16 16 collabora-online = pkgs.callPackage ./collabora-online { }; 17 + emby-server = pkgs.callPackage ./emby-server { }; 17 18 iso2god-rs = pkgs.callPackage ./iso2god-rs { }; 18 19 mediaelch = pkgs.callPackage ./mediaelch { }; 19 20 network-optimizer = pkgs.callPackage ./network-optimizer { };
+108
packages/emby-server/default.nix
··· 1 + # based on https://github.com/tofu-salad/emby-server-flake/tree/a8c30e4160ee9c06ff1e875cd08dfd952868a5fb 2 + 3 + { 4 + pkgs, 5 + lib, 6 + fetchurl, 7 + ... 8 + }: 9 + 10 + pkgs.stdenv.mkDerivation rec { 11 + pname = "emby-server"; 12 + version = "4.10.0.4"; 13 + 14 + src = fetchurl { 15 + url = "https://github.com/MediaBrowser/Emby.Releases/releases/download/${version}/${pname}-deb_${version}_amd64.deb"; 16 + sha256 = "sha256-NXsUInwhnxz7xLtB8W30LOl3LwG4NQkKkNLyHjgCzB0="; 17 + }; 18 + 19 + buildInputs = with pkgs; [ 20 + dpkg 21 + expat 22 + lttng-ust_2_12 23 + zlib 24 + ]; 25 + 26 + nativeBuildInputs = with pkgs; [ 27 + autoPatchelfHook 28 + makeWrapper 29 + ]; 30 + 31 + # Tell autoPatchelfHook where to find the bundled libraries 32 + autoPatchelfIgnoreMissingDeps = [ 33 + "libavdevice.so.59" 34 + "libavfilter.so.8" 35 + "libavformat.so.59" 36 + "libavcodec.so.59" 37 + "libpostproc.so.56" 38 + "libswresample.so.4" 39 + "libswscale.so.6" 40 + "libavutil.so.57" 41 + ]; 42 + 43 + unpackPhase = '' 44 + dpkg-deb -x $src unpacked 45 + cd unpacked 46 + ''; 47 + 48 + installPhase = '' 49 + # Copy everything to the output 50 + cp -r opt/emby-server $out/ 51 + 52 + # Remove systemd files and licenses we don't need 53 + rm -rf $out/lib/systemd 54 + rm -rf $out/licenses 55 + 56 + # Fix paths in scripts 57 + find $out/bin -type f -exec sed -i "s|/opt/emby-server|$out|g" {} \; 58 + 59 + # Create bin directory for wrappers 60 + mkdir -p $out/bin 61 + 62 + # Create wrapper for main emby server (disable auto-updates with empty updatepackage) 63 + makeWrapper "$out/bin/emby-server" $out/bin/emby \ 64 + --prefix LD_LIBRARY_PATH : "$out/lib:$out/lib/x86_64-linux-gnu" \ 65 + --add-flags "$out/EmbyServer.dll -ffmpeg $out/bin/emby-ffmpeg -ffprobe $out/bin/emby-ffprobe -updatepackage \"\"" 66 + 67 + # Create wrapper for emby-ffmpeg that sets up library path 68 + mv $out/bin/emby-ffmpeg $out/bin/.emby-ffmpeg-unwrapped 69 + makeWrapper "$out/bin/.emby-ffmpeg-unwrapped" $out/bin/emby-ffmpeg \ 70 + --prefix LD_LIBRARY_PATH : "$out/lib:$out/lib/x86_64-linux-gnu" 71 + 72 + # Create wrapper for emby-ffdetect 73 + mv $out/bin/emby-ffdetect $out/bin/.emby-ffdetect-unwrapped 74 + makeWrapper "$out/bin/.emby-ffdetect-unwrapped" $out/bin/emby-ffdetect \ 75 + --prefix LD_LIBRARY_PATH : "$out/lib:$out/lib/x86_64-linux-gnu" 76 + 77 + # Also wrap the direct ffmpeg/ffprobe binaries 78 + mv $out/bin/ffmpeg $out/bin/.ffmpeg-unwrapped 79 + makeWrapper "$out/bin/.ffmpeg-unwrapped" $out/bin/ffmpeg \ 80 + --prefix LD_LIBRARY_PATH : "$out/lib:$out/lib/x86_64-linux-gnu" 81 + 82 + mv $out/bin/ffprobe $out/bin/.ffprobe-unwrapped 83 + makeWrapper "$out/bin/.ffprobe-unwrapped" $out/bin/ffprobe \ 84 + --prefix LD_LIBRARY_PATH : "$out/lib:$out/lib/x86_64-linux-gnu" 85 + ''; 86 + 87 + # Run autoPatchelfHook manually after installPhase 88 + postFixup = '' 89 + # Patch all binaries to use system libraries where possible 90 + # The FFmpeg libraries from the deb will be found via LD_LIBRARY_PATH 91 + autoPatchelf $out/bin/.emby-ffmpeg-unwrapped || true 92 + autoPatchelf $out/bin/.emby-ffdetect-unwrapped || true 93 + autoPatchelf $out/bin/.ffmpeg-unwrapped || true 94 + autoPatchelf $out/bin/.ffprobe-unwrapped || true 95 + 96 + # Also patch other binaries 97 + find $out/bin -name "*.so" -exec autoPatchelf {} \; || true 98 + ''; 99 + 100 + meta = { 101 + description = "Emby Media Server"; 102 + homepage = "https://emby.media/"; 103 + license = lib.licenses.unfree; 104 + maintainers = with lib.maintainers; [ encode42 ]; 105 + platforms = [ "x86_64-linux" ]; 106 + mainProgram = "emby"; 107 + }; 108 + }