eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/reference/services/jellyfin.md
Erich Blume 8072cd21d7 C0: review jellyfin, upgrade indri to 10.11.11 (security fixes) 
Jellyfin was 5 patch releases behind (10.11.6 -> 10.11.11). 10.11.7 and
10.11.10 contain disclosed CVE/GHSA security fixes. Upgraded via
brew upgrade --cask jellyfin on indri; service verified healthy and
externally reachable (HTTPS 200).

Documented the recurring Gatekeeper gotcha: cask upgrades re-quarantine
the .app and the launchd service hangs silently until the first-launch
dialog is approved on indri's GUI console (xattr removal over SSH is
blocked by macOS TCC).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-08 06:35:23 -07:00

1.9 KiB
Raw Blame History

title modified last-reviewed tags
Jellyfin 2026-06-08 2026-06-08
service
media

Jellyfin

Open-source media server running natively on indri for VideoToolbox hardware transcoding.

Quick Reference

Property Value
URL https://jellyfin.ops.eblu.me
Local Port 8096
Data ~/Library/Application Support/jellyfin
Media /Volumes/allisonflix (NFS from sifaka)
LaunchAgent mcquack.jellyfin

Hardware Transcoding

Apple VideoToolbox on M1 Mac Mini.

Codec Support
H.264 encode/decode Hardware
HEVC (H.265) encode/decode Hardware
AV1 decode Software (requires M3+)
HDR to SDR tone mapping VPP (hardware)

Concurrent 4K streams with HDR tonemapping: ~3

Configuration

Dashboard > Playback:

  1. Hardware Acceleration: Apple VideoToolbox
  2. Allow hardware encoding: Enabled
  3. VPP Tone mapping: Enabled

Upgrades

Installed via Homebrew cask (state: present, unpinned), so the Ansible role won't bump an already-installed cask. To upgrade, run on indri:

brew upgrade --cask jellyfin

Gatekeeper gotcha: a cask upgrade replaces /Applications/Jellyfin.app and re-applies the com.apple.quarantine xattr. When launchd respawns the service, the new binary hangs silently — process alive but ~0 CPU, no logs, no listening socket — because Gatekeeper is holding the first launch pending approval. Removing the xattr over SSH fails (xattr -dr com.apple.quarantine ... → "Operation not permitted", blocked by macOS TCC). Approve the first-launch dialog on indri's GUI console (or run the xattr removal from a local Terminal with Full Disk Access), then reload the LaunchAgent.

Observability

  • Metrics: jellyfin_metrics ansible role
  • Logs: Forwarded via alloy
  • Dashboard: "Jellyfin Media Server" in grafana

Related