|
| 1 | +# Jellyfin - Free Software Media System (stream & transcode video) |
| 2 | +# Web interface: http://<host-ip>:8096 |
| 3 | +# |
| 4 | +# Runs the official jellyfin/jellyfin image rootless. Video transcoding is |
| 5 | +# hardware-accelerated through VAAPI on the host GPU render node |
| 6 | +# (/dev/dri/renderD128) — works with AMD (amdgpu) and Intel (i915) GPUs. |
| 7 | +# For NVIDIA, use the `gpu = "nvidia"` convenience flag under [devices] |
| 8 | +# instead and select NVENC in the Jellyfin UI. |
| 9 | +# |
| 10 | +# Note on `gpu = "auto"` and NVIDIA: auto detects both the PCI vendor and the |
| 11 | +# bound driver. With the proprietary driver it uses the NVIDIA Container |
| 12 | +# Toolkit (CDI) path for NVENC; with nouveau it uses plain /dev/dri VAAPI. |
| 13 | +# Both work — but nouveau's hardware encode support is weak, so a proprietary |
| 14 | +# driver with `gpu = "nvidia"` is recommended for real transcoding on NVIDIA. |
| 15 | +# |
| 16 | +# Setup: |
| 17 | +# 1. Enable the workload. This pulls the image, creates the volume |
| 18 | +# directories, and runs the host setup script (setup.sh) which turns on |
| 19 | +# the `container_use_devices` SELinux boolean so the container may open |
| 20 | +# the GPU render node: |
| 21 | +# sudo workloadctl enable jellyfin |
| 22 | +# |
| 23 | +# 2. Add media. By default the library is the workload's own directory, |
| 24 | +# mounted read-only at /media inside the container: |
| 25 | +# /var/lib/workloads/jellyfin/media |
| 26 | +# Drop video files there (created automatically on enable). To serve |
| 27 | +# media from elsewhere instead — e.g. the smb-server share so files can |
| 28 | +# be added over SMB — see the [storage] section below. |
| 29 | +# |
| 30 | +# 3. Configure the firewall (LAN-only — recommended): |
| 31 | +# sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" port port="8096" protocol="tcp" accept' |
| 32 | +# sudo firewall-cmd --reload |
| 33 | +# |
| 34 | +# 4. Open http://<host-ip>:8096 and complete first-run setup. Add a library |
| 35 | +# pointing at /media. Then under Dashboard > Playback > Transcoding: |
| 36 | +# - Hardware acceleration: Video Acceleration API (VAAPI) |
| 37 | +# - VA-API device: /dev/dri/renderD128 |
| 38 | +# - Enable the HEVC / H.264 hardware decoders & encoders you want. |
| 39 | +# (AMD Navi 10 / RX 5000-series does H.264 and HEVC but not AV1 encode.) |
| 40 | +# |
| 41 | +# Notes: |
| 42 | +# - The official image runs as root inside the container. userns |
| 43 | +# keep-id:uid=0,gid=0 maps that to the unprivileged _wl-jellyfin host |
| 44 | +# user, so /config and /cache stay writable without granting real root. |
| 45 | +# - /media is mounted read-only — Jellyfin never modifies your library. |
| 46 | +# - To serve from the local registry instead of Docker Hub, retag the image |
| 47 | +# into zot (e.g. zamd:5050/jellyfin/jellyfin) and adjust [container]. |
| 48 | +# |
| 49 | +# After editing this file, apply changes with: |
| 50 | +# sudo workloadctl recreate jellyfin |
| 51 | + |
| 52 | +[workload] |
| 53 | +name = "jellyfin" |
| 54 | +enabled = false |
| 55 | + |
| 56 | +[container] |
| 57 | +image = "docker.io/jellyfin/jellyfin:latest" |
| 58 | +pull = "missing" |
| 59 | + |
| 60 | +[container.health] |
| 61 | +# The official image is Ubuntu-based (bash present) but ships no curl, so |
| 62 | +# probe the HTTP listener socket directly rather than hitting /health. |
| 63 | +cmd = "bash -c 'exec 3<>/dev/tcp/127.0.0.1/8096'" |
| 64 | +interval = "30s" |
| 65 | +start_period = "30s" |
| 66 | +on_failure = "kill" |
| 67 | + |
| 68 | +[container.environment] |
| 69 | +# Optional: the absolute URL clients should use, shown in the dashboard. |
| 70 | +# JELLYFIN_PublishedServerUrl = "http://192.168.0.100:8096" |
| 71 | + |
| 72 | +[storage] |
| 73 | +# By default the library lives in the workload's own home, so jellyfin is a |
| 74 | +# fully independent workload with no dependency on any other. |
| 75 | +# Default media path: /var/lib/workloads/jellyfin/media |
| 76 | +# |
| 77 | +# Deployment tweak — to serve media from another location, replace the last |
| 78 | +# entry with an absolute host path, e.g. to share the smb-server library: |
| 79 | +# "/var/lib/workloads/smb-server/exports/media:/media:ro" |
| 80 | +# (the workload user only needs read access to whatever path you choose). |
| 81 | +volumes = [ |
| 82 | + "./config:/config", |
| 83 | + "./cache:/cache", |
| 84 | + "./media:/media:ro", |
| 85 | +] |
| 86 | + |
| 87 | +[security] |
| 88 | +# keep-id:uid=0,gid=0 — the image runs as container root; map that to the |
| 89 | +# unprivileged _wl-jellyfin host user so volumes are writable without real |
| 90 | +# root. Not userns=host: no other host UID maps to the workload user. |
| 91 | +userns = "keep-id:uid=0,gid=0" |
| 92 | +# render — access the GPU VAAPI render node /dev/dri/renderD128. |
| 93 | +extra_groups = ["render"] |
| 94 | + |
| 95 | +[devices] |
| 96 | +# Just the render node — enough for VAAPI transcoding. Avoids pulling in |
| 97 | +# /dev/kfd and the card* node that gpu = "amd" would add. |
| 98 | +devices = ["/dev/dri/renderD128"] |
| 99 | + |
| 100 | +[network] |
| 101 | +mode = "pasta" |
| 102 | +ports = ["8096:8096"] |
| 103 | + |
| 104 | +[host] |
| 105 | +# Turns on the container_use_devices SELinux boolean so the container can |
| 106 | +# open the GPU render node. Idempotent; left in place on `disable` since |
| 107 | +# other GPU workloads may rely on it. |
| 108 | +setup = "setup.sh" |
| 109 | + |
| 110 | +[resources] |
| 111 | +shm_size = "256m" |
| 112 | +memory_high = "2G" |
| 113 | +memory_max = "4G" |
0 commit comments