# Installation

Although Jellyfin is directly available from TrueCharts, we will launch it as a custom configuration with Docker image to be more flexible.

# Preparation

If this is a fresh TrueNAS installation and you click on Apps , a dialog is shown. Select odin as the pool for apps. This will also start the Docker daemon (which we will need later) as the daemon is not running straight out of the box.

Additionally, under Apps go to Kubernetes Settings and uncheck Enable Host Path Safety Checks.

For our use-case: yes, it is. Because Jellyfin (respectively the container) get only read access to our media and never modify or write anything.

Nevertheless, you need to be careful with this option, as it is not possible to set it on a per-container or per-app base. On the link below, you will find more information and also some alternatives how to circumvent the problem with host path safety check enabled.

https://www.truenas.com/community/threads/understanding-the-truenas-scale-hostpathvalidation-setting.109100/

Also check if Intel QuickSync is available for hardware transcoding. Go to System Settings -> Shell and enter the command lspci

There you should see a VGA-compatible controller from Intel (in this example Intel Corporation Device 4c90 (rev 04)). If you don't see such a device, maybe you first need to enable it in the BIOS, as described here: https://avalon.christianrybovic.ch/hardware/configuration/

If the device is not available, you won't be able to select any GPU later when configuring Docker, and accordingly, hardware transcoding will not be available in Jellyfin.

# User Configuration

Create a new user jellyfin. We will use this user for the Docker container and for miscellaneous permissions.

Note that this is a pure TrueNAS internal user and has nothing directly to do with the Jellyfin application itself. You won't be able to log in to Jellyfin with this user.

Go to Credentials -> Local Users -> Add and create the new user.

Settings

Idenfitication
Full Name: jellyfin
Username: jellyfin
Disable Password: Enable

User ID and Groups
Create New Primary Group: Disable
Primary Group: apps

Authentication
Samba Authentication: Uncheck

# Application Data

Now create some basic folders where Jellyfin can place its configurations. Go to Dataset -> odin -> Add and create a new dataset.

Settings

Name and Options
Name: app-jellyfin

Encryption Options
Inherit (unencrypted): Uncheck

Don't change the encryption type to passphrase, as this would result in not automatically unlocking the dataset after reboot.

Switch over to System Settings -> Shell and enter the following commands:

sudo mkdir /mnt/odin/app-jellyfin/cache
sudo mkdir /mnt/odin/app-jellyfin/config

Now go to Dataset -> odin -> app-jellyfin -> Permission -> Edit and adjust the permissions accordingly.

Settings

Owner
User: jellyfin
Apply User: Check
Group: apps
Apply Group: Check

Advanced
Apply permission recursively: Check

You can confirm the warning dialog without hesitation (the dataset currently doesn't contain any data).

# Docker Container

As the automatic Docker image pull with Kubernetes didn't work for me for larger images like Jellyfin, we will pull it manually in the shell. Go to System Settings -> Shell and enter the following command:

sudo docker pull jellyfin/jellyfin:latest

If you get an error on this command, maybe the Docker daemon is not running. You can check that with the shell command sudo systemctl status docker. If it is not running, check the steps from the preparation section above.

After the image is pulled, launch the Docker image under Apps -> Launch Docker Image with these settings:

Settings

Application name
Application Name: jellyfin

Container Images
Image repository: jellyfin/jellyfin
Image Pull Policy: Never pull image even if it's not present on host

Networking
Provide access to node network namespace for the workload: Check

This option allows us to access Jellyfin on the default port 8096. Otherwise we must define the ports ourselves and above the value 9000.

Storage -> Host Path Volumes
Host Path: /mnt/odin/app-jellyfin/cache
Mount Path: /cache

Host Path: /mnt/odin/app-jellyfin/config
Mount Path: /config

Host Path: /mnt/loki/video-movies
Mount Path: /media/loki/movies
Read Only: Check

Host Path: /mnt/loki/video-series
Mount Path: /media/loki/series
Read Only: Check

We don't want that Jellyfin or any other software will perform changes to our media. Therefore we add the read only flag (independently of the permission settings).

Storage -> Memory Backed Volumes
Mount Path: /mnt/transcodes
Size Limit: 64Gi

Do not write transcoding cache files to disk, use only memory.

Application name
Configure Container User and Group ID: Check
Run Container As User: 3001
Run Container As Group: 107

The user ID must match the ID of the jellyfin user. The group ID must match the render group ID. If you hadn't changed any system settings, this would normally be 107.

Resource Reservation
GPU Resource (gpu.intel.com/i915): Allocate 5 gpu.intel.com/i915 GPU

If you can't allocate any GPU, check out the preparation section above.

This is necessary because we want to run the container in Kubernetes as non-root. When not running as render group, the container has no permission to access the device, and therefore Jellyfin can not use hardware transcoding. It's a little bit ugly to run it under this built-in group, but from a security perspective, it's still better than running it as root or modifying the default permissions.

https://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/

Kubernetes will automatically deploy and start the container after saving. When Jellyfin opens after typing http://[IP-ADRESS]:8096 in the browser, we can head over to the next step and start configuring it.