# DEPLOYMENT LOCATION: /opt/docker/jellyfin/docker-compose.yml # Deploy with: sudo mkdir -p /opt/docker/jellyfin && sudo cp config/docker/jellyfin/docker-compose.yml /opt/docker/jellyfin/ # Start with: cd /opt/docker/jellyfin && sudo docker-compose up -d # HARDENED CONFIGURATION - Updated for security # - Non-root user maintained (1000:1000) # - Security options added # - Resource limits enhanced # - Health check added # - Network mode kept for hardware acceleration (acceptable risk) services: jellyfin: image: jellyfin/jellyfin:latest container_name: jellyfin restart: unless-stopped # User and group IDs to match host user (hoborg) user: 1000:1000 # Environment variables environment: - JELLYFIN_PublishedServerUrl=https://ak-homelab.duckdns.org/media # Network mode for better performance and hardware acceleration # NOTE: Host networking is required for GPU hardware acceleration # This is an acceptable security trade-off for media performance network_mode: host # Security hardening read_only: false # Jellyfin needs write access for transcoding tmpfs: - /tmp:noexec,nosuid,size=2G cap_drop: - ALL cap_add: - CHOWN - SETUID - SETGID - DAC_OVERRIDE security_opt: - no-new-privileges:true # Volume mounts - using same folders as Copyparty volumes: # Jellyfin configuration and data - /opt/docker/jellyfin/config:/config - /opt/docker/jellyfin/cache:/cache # Media folders (shared with Copyparty) - /mnt/nas/music:/media/music:ro - /mnt/nas/videos:/media/videos:ro - /mnt/nas/pictures:/media/pictures:ro - /mnt/nas/shared:/media/shared:ro - /mnt/nas/private:/media/private:ro # Additional media folders if they exist # - /home/hoborg/Movies:/media/movies:ro # - /home/hoborg/TV:/media/tv:ro # Device access for hardware acceleration (Intel/AMD GPU) devices: - /dev/dri:/dev/dri # Enhanced resource limits deploy: resources: limits: cpus: '2.0' memory: 2G reservations: cpus: '0.5' memory: 512M # Health check healthcheck: test: ["CMD", "curl", "-f", "http://localhost:8096/health"] interval: 30s timeout: 10s retries: 3 start_period: 60s