homelab/config/docker/jellyfin/docker-compose.yml

# DEPLOYMENT LOCATION: /opt/docker/jellyfin/docker-compose.yml
# Deploy with: sudo mkdir -p /opt/docker/jellyfin && sudo cp config/docker/jellyfin/docker-compose.yml /opt/docker/jellyfin/
# Start with: cd /opt/docker/jellyfin && sudo docker-compose up -d

# HARDENED CONFIGURATION - Updated for security
# - Non-root user maintained (1000:1000)
# - Security options added
# - Resource limits enhanced
# - Health check added
# - Network mode kept for hardware acceleration (acceptable risk)

services:
  jellyfin:
    image: jellyfin/jellyfin:latest
    container_name: jellyfin
    restart: unless-stopped

    # User and group IDs to match host user (hoborg)
    user: 1000:1000

    # Environment variables
    environment:
      - JELLYFIN_PublishedServerUrl=https://ak-homelab.duckdns.org/media

    # Network mode for better performance and hardware acceleration
    # NOTE: Host networking is required for GPU hardware acceleration
    # This is an acceptable security trade-off for media performance
    network_mode: host

    # Security hardening
    read_only: false  # Jellyfin needs write access for transcoding
    tmpfs:
      - /tmp:noexec,nosuid,size=2G
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETUID
      - SETGID
      - DAC_OVERRIDE
    security_opt:
      - no-new-privileges:true

    # Volume mounts - using same folders as Copyparty
    volumes:
      # Jellyfin configuration and data
      - /opt/docker/jellyfin/config:/config
      - /opt/docker/jellyfin/cache:/cache

      # Media folders (shared with Copyparty)
      - /mnt/nas/music:/media/music:ro
      - /mnt/nas/videos:/media/videos:ro
      - /mnt/nas/pictures:/media/pictures:ro
      - /mnt/nas/shared:/media/shared:ro
      - /mnt/nas/private:/media/private:ro

      # Additional media folders if they exist
      # - /home/hoborg/Movies:/media/movies:ro
      # - /home/hoborg/TV:/media/tv:ro

    # Device access for hardware acceleration (Intel/AMD GPU)
    devices:
      - /dev/dri:/dev/dri

    # Enhanced resource limits
    deploy:
      resources:
        limits:
          cpus: '2.0'
          memory: 2G
        reservations:
          cpus: '0.5'
          memory: 512M

    # Health check
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8096/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 60s