| blob | e09de7aec50b1e277eec1f33a929efcf9fb773af |
1 { config, pkgs, lib, ... }:
2 let
3 cfg = config.services.jellyseerr;
4 in
5 {
6 meta.maintainers = [ lib.maintainers.camillemndn ];
8 options.services.jellyseerr = {
9 enable = lib.mkEnableOption ''Jellyseerr, a requests manager for Jellyfin'';
10 package = lib.mkPackageOption pkgs "jellyseerr" { };
12 openFirewall = lib.mkOption {
13 type = lib.types.bool;
14 default = false;
15 description = ''Open port in the firewall for the Jellyseerr web interface.'';
16 };
18 port = lib.mkOption {
19 type = lib.types.port;
20 default = 5055;
21 description = ''The port which the Jellyseerr web UI should listen to.'';
22 };
23 };
25 config = lib.mkIf cfg.enable {
26 systemd.services.jellyseerr = {
27 description = "Jellyseerr, a requests manager for Jellyfin";
28 after = [ "network.target" ];
29 wantedBy = [ "multi-user.target" ];
30 environment.PORT = toString cfg.port;
31 serviceConfig = {
32 Type = "exec";
33 StateDirectory = "jellyseerr";
34 WorkingDirectory = "${cfg.package}/libexec/jellyseerr/deps/jellyseerr";
35 DynamicUser = true;
36 ExecStart = lib.getExe cfg.package;
37 BindPaths = [ "/var/lib/jellyseerr/:${cfg.package}/libexec/jellyseerr/deps/jellyseerr/config/" ];
38 Restart = "on-failure";
39 ProtectHome = true;
40 ProtectSystem = "strict";
41 PrivateTmp = true;
42 PrivateDevices = true;
43 ProtectHostname = true;
44 ProtectClock = true;
45 ProtectKernelTunables = true;
46 ProtectKernelModules = true;
47 ProtectKernelLogs = true;
48 ProtectControlGroups = true;
49 NoNewPrivileges = true;
50 RestrictRealtime = true;
51 RestrictSUIDSGID = true;
52 RemoveIPC = true;
53 PrivateMounts = true;
54 };
55 };
57 networking.firewall = lib.mkIf cfg.openFirewall {
58 allowedTCPPorts = [ cfg.port ];
59 };
60 };
61 }