From 1d126cae12397ef716cc516196f36b99b4ebae33 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= <theo.barnouin@protonmail.com>
Date: Mon, 14 Apr 2025 13:46:23 +0200
Subject: [PATCH] Working Jellyfin transcoding setup + crowdsec

---
 services/jellyfin/default.nix |  4 ++--
 systems/minimalLXCConfig.nix  |  1 +
 systems/minimalVMConfig.nix   | 24 +++++++++++++++++++++++-
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/services/jellyfin/default.nix b/services/jellyfin/default.nix
index 848acae..7bc005a 100644
--- a/services/jellyfin/default.nix
+++ b/services/jellyfin/default.nix
@@ -15,19 +15,19 @@ in {
       sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; };
       systemPackages = with pkgs; [
         cifs-utils
-        intel-gpu-tools
       ];
     };
     # Intel Hardware Acceleration config
     hardware = {
+      enableAllFirmware = true;
       intel-gpu-tools.enable = true;
       graphics = {
         enable = true;
         extraPackages = with pkgs; [
           intel-media-driver
           vaapiVdpau
-          libvdpau-va-gl
           intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
+          intel-ocl
           vpl-gpu-rt # QSV on 11th gen or newer
         ];
         extraPackages32 = with pkgs.pkgsi686Linux; [
diff --git a/systems/minimalLXCConfig.nix b/systems/minimalLXCConfig.nix
index ef84f83..13bb00b 100644
--- a/systems/minimalLXCConfig.nix
+++ b/systems/minimalLXCConfig.nix
@@ -98,6 +98,7 @@
       netcat-openbsd
     ];
   };
+
   age.secrets = {
     cs-lapi-key = {
       file = ../secrets/cs-lapi-key.age;
diff --git a/systems/minimalVMConfig.nix b/systems/minimalVMConfig.nix
index 7cbc576..7fbe700 100644
--- a/systems/minimalVMConfig.nix
+++ b/systems/minimalVMConfig.nix
@@ -35,7 +35,7 @@
   users = {
     users.tbarnouin = {
       isNormalUser = true;
-      extraGroups = ["wheel"];
+      extraGroups = ["wheel" "video" "render"];
       shell = pkgs.zsh;
       openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
@@ -86,6 +86,13 @@
     ];
   };
 
+  age.secrets = {
+    cs-lapi-key = {
+      file = ../secrets/cs-lapi-key.age;
+      owner = "crowdsec";
+    };
+  };
+
   services = {
     cloud-init.network.enable = true;
     openssh = {
@@ -103,6 +110,21 @@
     fail2ban = {
       enable = true;
     };
+    crowdsec = {
+      enable = true;
+      package = pkgs.crowdsec;
+      autoUpdateService = false;
+      openFirewall = true;
+      settings = {
+        general = {
+          prometheus.listen_addr = "0.0.0.0";
+        };
+        lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}";
+      };
+      hub.collections = [
+        "crowdsecurity/linux"
+      ];
+    };
     rsyslogd = {
       enable = true;
       extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format";