Add Jellyfin media server role as rootless Podman quadlet

Deploys Jellyfin as a user-scoped systemd service via a quadlet
.container file, with configurable ports, media path (defaults to
~/media), and podman auto-update support.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: shanemcd

AGENTS.md

@@ -62,6 +62,7 @@ uvx --from ansible-core ansible-playbook shanemcd.toolbox.<playbook_name>
 - `inception` - Meta-playbook for full system setup (runs oh_my_zsh, dotfiles, flatpaks, fonts, emacs; requires `--ask-become-pass` or `-K`)
 - `sunshine` - Configure Sunshine game streaming with keybindings and enable systemd user service
 - `nfs` - Configure NFS server for media sharing (requires `--ask-become-pass` or `-K`)
+- `jellyfin` - Deploy Jellyfin media server as a rootless Podman quadlet (user-scoped systemd service)
 
 ## Adding New Playbooks and Roles
 

README.md

@@ -167,3 +167,26 @@ ansible-playbook shanemcd.toolbox.jetkvm_tailscale \
 2. Installs tailscaled daemon with init script (`S22tailscale`)
 3. Configures persistent state in `/userdata/tailscale-state`
 4. Authenticates using provided auth key
+
+### Services
+
+#### `jellyfin`
+Deploy Jellyfin media server as a rootless Podman container managed by a user-scoped systemd quadlet.
+
+```bash
+ansible-playbook shanemcd.toolbox.jellyfin -v
+```
+
+**What it does:**
+1. Creates `~/media` directory (shared with the NFS role)
+2. Deploys a quadlet `.container` file to `~/.config/containers/systemd/`
+3. Enables `loginctl linger` so the service runs without an active login session
+4. Starts and enables the `jellyfin` systemd user service
+
+**Options:**
+- `jellyfin_image` - Container image (default: `docker.io/jellyfin/jellyfin:latest`)
+- `jellyfin_web_port` - HTTP port (default: `8096`)
+- `jellyfin_media_path` - Media library path (default: `~/media`)
+- `jellyfin_media_readonly` - Mount media read-only (default: `true`)
+- `jellyfin_auto_update` - Enable `podman auto-update` (default: `true`)
+- `jellyfin_enable_linger` - Enable loginctl linger (default: `true`)

ansible_collections/shanemcd/toolbox/playbooks/jellyfin.yml

@@ -0,0 +1,8 @@
+---
+- name: Deploy Jellyfin media server as a Podman quadlet
+  hosts: localhost
+  connection: local
+  gather_facts: true
+
+  roles:
+    - jellyfin

ansible_collections/shanemcd/toolbox/roles/jellyfin/defaults/main.yml

@@ -0,0 +1,27 @@
+---
+# Container image
+jellyfin_image: docker.io/jellyfin/jellyfin:latest
+
+# Enable podman auto-update for the container
+jellyfin_auto_update: true
+
+# Web UI port (HTTP)
+jellyfin_web_port: 8096
+
+# Optional ports (set to a port number to enable)
+# jellyfin_https_port: 8920
+# jellyfin_discovery_port_dlna: 1900
+# jellyfin_discovery_port_client: 7359
+
+# Media library path on the host
+jellyfin_media_path: "{{ ansible_facts['env']['HOME'] }}/media"
+
+# Mount media as read-only
+jellyfin_media_readonly: true
+
+# Named Podman volumes for persistent data
+jellyfin_config_volume: jellyfin-config
+jellyfin_cache_volume: jellyfin-cache
+
+# Enable loginctl linger so the user service runs without an active login session
+jellyfin_enable_linger: true

ansible_collections/shanemcd/toolbox/roles/jellyfin/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: Restart Jellyfin
+  ansible.builtin.systemd_service:
+    name: jellyfin
+    scope: user
+    daemon_reload: true
+    state: restarted

ansible_collections/shanemcd/toolbox/roles/jellyfin/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+- name: Ensure media directory exists
+  ansible.builtin.file:
+    path: "{{ jellyfin_media_path }}"
+    state: directory
+    mode: "0755"
+
+- name: Ensure quadlet directory exists
+  ansible.builtin.file:
+    path: "{{ ansible_facts['env']['HOME'] }}/.config/containers/systemd"
+    state: directory
+    mode: "0755"
+
+- name: Deploy Jellyfin quadlet container file
+  ansible.builtin.template:
+    src: jellyfin.container.j2
+    dest: "{{ ansible_facts['env']['HOME'] }}/.config/containers/systemd/jellyfin.container"
+    mode: "0644"
+  notify: Restart Jellyfin
+
+- name: Enable loginctl linger
+  ansible.builtin.command:
+    cmd: loginctl enable-linger {{ ansible_facts['env']['USER'] }}
+  changed_when: false
+  when: jellyfin_enable_linger
+
+- name: Reload systemd user daemon
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+    scope: user
+
+- name: Enable and start Jellyfin service
+  ansible.builtin.systemd_service:
+    name: jellyfin
+    scope: user
+    enabled: true
+    state: started

ansible_collections/shanemcd/toolbox/roles/jellyfin/templates/jellyfin.container.j2

@@ -0,0 +1,26 @@
+# {{ ansible_managed }}
+
+[Container]
+Image={{ jellyfin_image }}
+{% if jellyfin_auto_update %}
+AutoUpdate=registry
+{% endif %}
+PublishPort={{ jellyfin_web_port }}:8096
+{% if jellyfin_https_port is defined %}
+PublishPort={{ jellyfin_https_port }}:8920
+{% endif %}
+{% if jellyfin_discovery_port_dlna is defined %}
+PublishPort={{ jellyfin_discovery_port_dlna }}:1900/udp
+{% endif %}
+{% if jellyfin_discovery_port_client is defined %}
+PublishPort={{ jellyfin_discovery_port_client }}:7359/udp
+{% endif %}
+Volume={{ jellyfin_config_volume }}:/config:Z
+Volume={{ jellyfin_cache_volume }}:/cache:Z
+Volume={{ jellyfin_media_path }}:/media:{% if jellyfin_media_readonly %}ro,{% endif %}Z
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target