Working Jellyfin transcoding setup + crowdsec

2025-04-14 13:46:23 +02:00 · 2025-04-14 13:46:23 +02:00 · 1d126cae12
commit 1d126cae12
parent 0d3bf29866
3 changed files with 26 additions and 3 deletions
--- a/services/jellyfin/default.nix
+++ b/services/jellyfin/default.nix
@ -15,19 +15,19 @@ in {
      sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; };
      systemPackages = with pkgs; [
        cifs-utils
-        intel-gpu-tools
      ];
    };
    # Intel Hardware Acceleration config
    hardware = {
+      enableAllFirmware = true;
      intel-gpu-tools.enable = true;
      graphics = {
        enable = true;
        extraPackages = with pkgs; [
          intel-media-driver
          vaapiVdpau
-          libvdpau-va-gl
          intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
+          intel-ocl
          vpl-gpu-rt # QSV on 11th gen or newer
        ];
        extraPackages32 = with pkgs.pkgsi686Linux; [
--- a/systems/minimalLXCConfig.nix
+++ b/systems/minimalLXCConfig.nix
@ -98,6 +98,7 @@
      netcat-openbsd
    ];
  };
+
  age.secrets = {
    cs-lapi-key = {
      file = ../secrets/cs-lapi-key.age;
--- a/systems/minimalVMConfig.nix
+++ b/systems/minimalVMConfig.nix
@ -35,7 +35,7 @@
  users = {
    users.tbarnouin = {
      isNormalUser = true;
-      extraGroups = ["wheel"];
+      extraGroups = ["wheel" "video" "render"];
      shell = pkgs.zsh;
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
@ -86,6 +86,13 @@
    ];
  };

+  age.secrets = {
+    cs-lapi-key = {
+      file = ../secrets/cs-lapi-key.age;
+      owner = "crowdsec";
+    };
+  };
+
  services = {
    cloud-init.network.enable = true;
    openssh = {
@ -103,6 +110,21 @@
    fail2ban = {
      enable = true;
    };
+    crowdsec = {
+      enable = true;
+      package = pkgs.crowdsec;
+      autoUpdateService = false;
+      openFirewall = true;
+      settings = {
+        general = {
+          prometheus.listen_addr = "0.0.0.0";
+        };
+        lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}";
+      };
+      hub.collections = [
+        "crowdsecurity/linux"
+      ];
+    };
    rsyslogd = {
      enable = true;
      extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format";