From a2480da0b91ddd086fde50f7795f8bca60373ab2 Mon Sep 17 00:00:00 2001
From: Joseph Hanson <joe@veri.dev>
Date: Fri, 22 Nov 2024 15:11:00 -0600
Subject: [PATCH] added nvidia to scrypted and jellyfin correctly

---
 .../nixos/containers/jellyfin/default.nix     | 77 +++++++++++++------
 .../nixos/containers/scrypted/default.nix     | 69 +++++++++++------
 .../containers/scrypted/systemd/start-pre.sh  |  7 ++
 3 files changed, 104 insertions(+), 49 deletions(-)
 create mode 100644 nixos/modules/nixos/containers/scrypted/systemd/start-pre.sh

diff --git a/nixos/modules/nixos/containers/jellyfin/default.nix b/nixos/modules/nixos/containers/jellyfin/default.nix
index 61c7b17..ca58d43 100644
--- a/nixos/modules/nixos/containers/jellyfin/default.nix
+++ b/nixos/modules/nixos/containers/jellyfin/default.nix
@@ -1,6 +1,7 @@
 {
   lib,
   config,
+  pkgs,
   ...
 }:
 with lib;
@@ -9,7 +10,6 @@ let
   # renovate: depName=ghcr.io/jellyfin/jellyfin datasource=docker
   version = "10.10.2";
   image = "ghcr.io/jellyfin/jellyfin:${version}";
-  port = 8096; # int
   cfg = config.mySystem.containers.${app};
 in
 {
@@ -27,37 +27,64 @@ in
 
   # Implementation
   config = mkIf cfg.enable {
-    # Container
-    virtualisation.oci-containers.containers.${app} = {
-      image = "${image}";
-      user = "568:568";
+    # Systemd service for container
+    systemd.services.${app} = {
+      description = "Jellyfin Media Server";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
 
-      volumes = [
-        "/nahar/containers/volumes/jellyfin:/config:rw"
-        "/moria/media:/media:rw"
-        "tmpfs:/cache:rw"
-        "tmpfs:/transcode:rw"
-        "tmpfs:/tmp:rw"
-      ];
+      serviceConfig = {
+        ExecStartPre = "${pkgs.writeShellScript "jellyfin-start-pre" ''
+          set -o errexit
+          set -o nounset
+          set -o pipefail
 
-      environment = {
-        TZ = "America/Chicago";
-        DOTNET_SYSTEM_IO_DISABLEFILELOCKING = "true";
-        JELLYFIN_FFmpeg__probesize = "50000000";
-        JELLYFIN_FFmpeg__analyzeduration = "50000000";
+          podman rm -f ${app} || true
+          rm -f /run/${app}.ctr-id
+        ''}";
+        ExecStart = ''
+          ${pkgs.podman}/bin/podman run \
+            --rm \
+            --name=${app} \
+            --user=568:568 \
+            --device='nvidia.com/gpu=all' \
+            --log-driver=journald \
+            --cidfile=/run/${app}.ctr-id \
+            --cgroups=no-conmon \
+            --sdnotify=conmon \
+            --volume="/nahar/containers/volumes/jellyfin:/config:rw" \
+            --volume="/moria/media:/media:rw" \
+            --volume="tmpfs:/cache:rw" \
+            --volume="tmpfs:/transcode:rw" \
+            --volume="tmpfs:/tmp:rw" \
+            --env=TZ=America/Chicago \
+            --env=DOTNET_SYSTEM_IO_DISABLEFILELOCKING=true \
+            --env=JELLYFIN_FFmpeg__probesize=50000000 \
+            --env=JELLYFIN_FFmpeg__analyzeduration=50000000 \
+            --env=JELLYFIN_PublishedServerUrl=http://10.1.1.61:8096 \
+            -p 8096:8096 \
+            -p 8920:8920 \
+            -p 1900:1900/udp \
+            -p 7359:7359/udp \
+            ${image}
+        '';
+        ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
+        ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
+        Type = "simple";
+        Restart = "always";
       };
-
-      ports = [ "${toString port}:${toString port}" ]; # expose port
-
-      extraOptions = [
-        # "--device nvidia.com/gpu=all"
-      ];
     };
 
     # Firewall
     networking.firewall = mkIf cfg.openFirewall {
-      allowedTCPPorts = [ port ];
-      allowedUDPPorts = [ port ];
+      allowedTCPPorts = [
+        8096    # HTTP web interface
+        8920    # HTTPS web interface
+      ];
+      allowedUDPPorts = [
+        1900    # DLNA discovery
+        7359    # Jellyfin auto-discovery
+      ];
     };
 
     # TODO add nginx proxy
diff --git a/nixos/modules/nixos/containers/scrypted/default.nix b/nixos/modules/nixos/containers/scrypted/default.nix
index 793f101..45c30d4 100644
--- a/nixos/modules/nixos/containers/scrypted/default.nix
+++ b/nixos/modules/nixos/containers/scrypted/default.nix
@@ -1,6 +1,7 @@
 {
   lib,
   config,
+  pkgs,
   ...
 }:
 with lib;
@@ -9,7 +10,6 @@ let
   # renovate: depName=ghcr.io/koush/scrypted datasource=docker versioning=docker
   version = "v0.123.30-jammy-nvidia";
   image = "ghcr.io/koush/scrypted:${version}";
-  port = 11080; # int
   cfg = config.mySystem.containers.${app};
 in
 {
@@ -27,36 +27,57 @@ in
 
   # Implementation
   config = mkIf cfg.enable {
-    # Container
-    virtualisation.oci-containers.containers.${app} = {
-      image = "${image}";
+    # Systemd service for container
+    systemd.services.${app} = {
+      description = "Scrypted Home Security";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
 
-      volumes = [
-        "/nahar/containers/volumes/scrypted:/server/volume:rw"
-        # "/nahar/scrypted:/recordings:rw"
-        "tmpfs:/.cache:rw"
-        "tmpfs:/.npm:rw"
-        "tmpfs:/tmp:rw"
-      ];
+      serviceConfig = {
+        ExecStartPre = "${pkgs.writeShellScript "scrypted-start-pre" ''
+          set -o errexit
+          set -o nounset
+          set -o pipefail
 
-      extraOptions = [
-        # all usb devices, such as coral tpu
-        "--device=/dev/bus/usb"
-        "--network=host"
-        "--device nvidia.com/gpu=all"
-      ];
-
-      environment = {
-        TZ = "America/Chicago";
+          podman rm -f ${app} || true
+          rm -f /run/${app}.ctr-id
+        ''}";
+        ExecStart = ''
+          ${pkgs.podman}/bin/podman run \
+            --rm \
+            --name=${app} \
+            --device=/dev/bus/usb \
+            --device='nvidia.com/gpu=all' \
+            --log-driver=journald \
+            --cidfile=/run/${app}.ctr-id \
+            --cgroups=no-conmon \
+            --sdnotify=conmon \
+            --volume="/nahar/containers/volumes/scrypted:/server/volume:rw" \
+            --volume="tmpfs:/.cache:rw" \
+            --volume="tmpfs:/.npm:rw" \
+            --volume="tmpfs:/tmp:rw" \
+            --env=TZ=America/Chicago \
+            --network=host \
+            ${image}
+        '';
+        ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
+        ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
+        Type = "simple";
+        Restart = "always";
       };
-
-      ports = [ "${toString port}:${toString port}" ]; # expose port
     };
 
     # Firewall
     networking.firewall = mkIf cfg.openFirewall {
-      allowedTCPPorts = [ port ];
-      allowedUDPPorts = [ port ];
+      allowedTCPPorts = [
+        11080 # Main Scrypted interface
+        10443 # HTTPS interface
+        8554 # RTSP server
+      ];
+      allowedUDPPorts = [
+        10443 # HTTPS interface
+        8554 # RTSP server
+      ];
     };
 
     # TODO add nginx proxy
diff --git a/nixos/modules/nixos/containers/scrypted/systemd/start-pre.sh b/nixos/modules/nixos/containers/scrypted/systemd/start-pre.sh
new file mode 100644
index 0000000..3beb40a
--- /dev/null
+++ b/nixos/modules/nixos/containers/scrypted/systemd/start-pre.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -o errexit
+set -o nounset
+set -o pipefail
+
+podman rm -f scrypted || true
+rm -f /run/scrypted.ctr-id