initial commit

4 files changed, 132 insertions, 0 deletions

diff --git a/roles/jellyfin/templates/etc/jellyfin/network.xml.j2 b/roles/jellyfin/templates/etc/jellyfin/network.xml.j2
new file mode 100644
index 0000000..9b73f6b
--- /dev/null
+++ b/roles/jellyfin/templates/etc/jellyfin/network.xml.j2
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="utf-8"?>
+<NetworkConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+  <RequireHttps>false</RequireHttps>
+  <BaseUrl />
+  <PublicHttpsPort>0</PublicHttpsPort>
+  <HttpServerPortNumber>{{ jellyfin_port }}</HttpServerPortNumber>
+  <HttpsPortNumber>0</HttpsPortNumber>
+  <EnableHttps>false</EnableHttps>
+  <PublicPort>{{ jellyfin_port }}</PublicPort>
+  <UPnPCreateHttpPortMap>false</UPnPCreateHttpPortMap>
+  <UDPPortRange />
+  <EnableIPV6>false</EnableIPV6>
+  <EnableIPV4>true</EnableIPV4>
+  <EnableSSDPTracing>false</EnableSSDPTracing>
+  <SSDPTracingFilter />
+  <UDPSendCount>2</UDPSendCount>
+  <UDPSendDelay>100</UDPSendDelay>
+  <IgnoreVirtualInterfaces>true</IgnoreVirtualInterfaces>
+  <VirtualInterfaceNames>vEthernet*</VirtualInterfaceNames>
+  <GatewayMonitorPeriod>60</GatewayMonitorPeriod>
+  <TrustAllIP6Interfaces>false</TrustAllIP6Interfaces>
+  <HDHomerunPortRange />
+  <PublishedServerUriBySubnet />
+  <AutoDiscoveryTracing>false</AutoDiscoveryTracing>
+  <AutoDiscovery>true</AutoDiscovery>
+  <RemoteIPFilter />
+  <IsRemoteIPFilterBlacklist>false</IsRemoteIPFilterBlacklist>
+  <EnableUPnP>false</EnableUPnP>
+  <EnableRemoteAccess>true</EnableRemoteAccess>
+  <LocalNetworkSubnets />
+  <LocalNetworkAddresses>
+    <string>127.0.0.1</string>
+  </LocalNetworkAddresses>
+  <KnownProxies />
+  <EnablePublishedServerUriByRequest>false</EnablePublishedServerUriByRequest>
+</NetworkConfiguration>
diff --git a/roles/jellyfin/templates/etc/sysconfig/jellyfin.j2 b/roles/jellyfin/templates/etc/sysconfig/jellyfin.j2
new file mode 100644
index 0000000..75f56ff
--- /dev/null
+++ b/roles/jellyfin/templates/etc/sysconfig/jellyfin.j2
@@ -0,0 +1,22 @@
+# Program directories
+JELLYFIN_DATA_DIR="/var/lib/jellyfin"
+JELLYFIN_CONFIG_DIR="/etc/jellyfin"
+JELLYFIN_LOG_DIR="/var/log/jellyfin"
+JELLYFIN_CACHE_DIR="/var/cache/jellyfin"
+
+# web client path, installed by the jellyfin-web package
+JELLYFIN_WEB_OPT="--webdir={{ jellyfin_install_dir }}/jellyfin-web"
+
+# [OPTIONAL] ffmpeg binary paths, overriding the UI-configured values
+#JELLYFIN_FFMPEG_OPT="--ffmpeg=/usr/bin/ffmpeg"
+
+# [OPTIONAL] run Jellyfin as a headless service
+JELLYFIN_SERVICE_OPT="--service"
+
+# [OPTIONAL] run Jellyfin without the web app
+#JELLYFIN_NOWEBAPP_OPT="--noautorunwebapp"
+
+# [OPTIONAL] run Jellyfin with ASP.NET Server Garbage Collection (uses more RAM and less CPU than Workstation GC)
+# 0 = Workstation
+# 1 = Server
+COMPlus_gcServer=1
diff --git a/roles/jellyfin/templates/etc/systemd/system/jellyfin.service.j2 b/roles/jellyfin/templates/etc/systemd/system/jellyfin.service.j2
new file mode 100644
index 0000000..2b809bb
--- /dev/null
+++ b/roles/jellyfin/templates/etc/systemd/system/jellyfin.service.j2
@@ -0,0 +1,51 @@
+[Unit]
+Description = Jellyfin Media Server
+After=autofs.service network-online.target nss-user-lookup.target
+
+[Service]
+Type = simple
+EnvironmentFile = /etc/sysconfig/jellyfin
+User = {{ jellyfin_user }}
+Group = {{ jellyfin_user }}
+WorkingDirectory = /var/lib/jellyfin
+ExecStart = {{ jellyfin_install_dir }}/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELLYFIN_FFMPEG_OPT} ${JELLYFIN_SERVICE_OPT} ${JELLYFIN_NOWEBAPP_OPT} ${JELLYFIN_ADDITIONAL_OPTS}
+Restart = on-failure
+TimeoutSec = 15
+SuccessExitStatus=0 143
+
+NoNewPrivileges=true
+SystemCallArchitectures=native
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=false
+RestrictRealtime=true
+RestrictSUIDSGID=true
+ProtectClock=true
+ProtectControlGroups=false
+ProtectHostname=true
+ProtectKernelLogs=false
+ProtectKernelModules=false
+ProtectKernelTunables=false
+LockPersonality=true
+PrivateTmp=false
+PrivateDevices=false
+PrivateUsers=true
+RemoveIPC=true
+SystemCallFilter=~@clock
+SystemCallFilter=~@aio
+SystemCallFilter=~@chown
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@keyring
+SystemCallFilter=~@memlock
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@setuid
+SystemCallFilter=~@swap
+SystemCallErrorNumber=EPERM
+
+[Install]
+WantedBy = multi-user.target
diff --git a/roles/jellyfin/templates/var/lib/jellyfin/plugins/configurations/LDAP-Auth.xml.j2 b/roles/jellyfin/templates/var/lib/jellyfin/plugins/configurations/LDAP-Auth.xml.j2
new file mode 100644
index 0000000..5326ff2
--- /dev/null
+++ b/roles/jellyfin/templates/var/lib/jellyfin/plugins/configurations/LDAP-Auth.xml.j2
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+  <LdapServer>{{ jellyfin_ldap_server }}</LdapServer>
+  <LdapPort>636</LdapPort>
+  <UseSsl>true</UseSsl>
+  <UseStartTls>false</UseStartTls>
+  <SkipSslVerify>false</SkipSslVerify>
+  <LdapBindUser>uid={{ jellyfin_sysaccount_username }},{{ freeipa_sysaccount_basedn }}</LdapBindUser>
+  <LdapBindPassword>{{ jellyfin_sysaccount_password }}</LdapBindPassword>
+  <LdapBaseDn>{{ freeipa_user_basedn }}</LdapBaseDn>
+  <LdapSearchFilter>(memberOf=cn={{ jellyfin_access_group }},{{ freeipa_group_basedn }})</LdapSearchFilter>
+  <LdapAdminBaseDn />
+  <LdapAdminFilter>(memberOf=cn={{ jellyfin_admin_group }},{{ freeipa_group_basedn }})</LdapAdminFilter>
+  <LdapSearchAttributes>uid</LdapSearchAttributes>
+  <EnableCaseInsensitiveUsername>false</EnableCaseInsensitiveUsername>
+  <CreateUsersFromLdap>true</CreateUsersFromLdap>
+  <AllowPassChange>false</AllowPassChange>
+  <LdapUsernameAttribute>uid</LdapUsernameAttribute>
+  <LdapPasswordAttribute>userPassword</LdapPasswordAttribute>
+  <EnableAllFolders>true</EnableAllFolders>
+  <EnabledFolders />
+  <PasswordResetUrl />
+</PluginConfiguration>