feat: add nas host

2025-11-28 20:53:47 +01:00
parent 55d600c0c0
commit fdba2c75c7
10 changed files with 459 additions and 1 deletions
--- a/hosts/nas/modules/jellyfin.nix
+++ b/hosts/nas/modules/jellyfin.nix
@@ -0,0 +1,51 @@
+{ lib, pkgs, ... }: {
+  # Intel graphics support for hardware transcoding
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver
+      vpl-gpu-rt
+      intel-compute-runtime
+    ];
+  };
+
+  # Set VA-API driver to iHD (modern Intel driver)
+  environment.sessionVariables = {
+    LIBVA_DRIVER_NAME = "iHD";
+  };
+
+  # Jellyfin user with render/video groups for GPU access
+  users.users.jellyfin = {
+    isSystemUser = true;
+    group = "jellyfin";
+    home = "/var/lib/jellyfin";
+    createHome = true;
+    extraGroups = [ "render" "video" ];
+  };
+  users.groups.jellyfin = {};
+
+  # Create jellyfin directory
+  systemd.tmpfiles.rules = [
+    "d /var/lib/jellyfin 0755 jellyfin jellyfin - -"
+  ];
+
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  # Override systemd hardening for GPU access
+  systemd.services.jellyfin = {
+    serviceConfig = {
+      PrivateUsers = lib.mkForce false;  # Disable user namespacing - breaks GPU device access
+      DeviceAllow = [
+        "/dev/dri/card0 rw"
+        "/dev/dri/renderD128 rw"
+      ];
+      SupplementaryGroups = [ "render" "video" ];  # Critical: Explicit group membership for GPU access
+    };
+    environment = {
+      LIBVA_DRIVER_NAME = "iHD";  # Ensure service sees this variable
+    };
+  };
+}