Last updated on 28 January 2024
Important or Recent Updates
| Historic Updates | Date |
|---|---|
| New DSM7.2 Container Manager Update (Beta/RC) | 30/04/2023 |
| Amended the devices mounted to the container as had reports of better performance with them. | 17/05/2023 |
| Added additional security option to the compose to restrict the container from gaining new privileges as well as umask variable | 25/10/2023 |
In this guide I am going to take you through the setup of Jellyfin in Container Manager using Docker Compose.
Does my Synology support Hardware Transcoding?
Before we do anything else, you need to make sure your model of Synology has hardware transcoding capabilities. You need to do a quick lookup via the linked Google Sheet below, this is updated by Plex however it’s perfectly relevant for Jellyfin.
If you find that your model does not support hardware transcoding you can jump back over to the standard guide.
Let’s Begin
As usual, it’s important you complete the three preceding guides which will get your folder structure and docker, user and bridge network setup.
- Docker, Memory Recommendations and Limitations
- Step 1: Directory Setup Guide
- Step 2: Setting up a restricted Docker user
- Step 3: Setting up a Docker Bridge Network
Folder Setup
Let’s start by getting some folders set up for the container to use. Open up File Station create the following.
/docker/projects/jellyfin-compose
/docker/jellyfin
Container Manager
Next we are going to set up a ‘Project’ in Container Manager. Open up Container Manager and click on Project then on the right-hand side click ‘Create’.
In the next screen we will set up our General Settings, enter the following:
| Section | Setting |
|---|---|
| Project Name: | jellyfin |
| Path: | /docker/projects/jellyfin-compose |
| Source: | Create docker-compose.yml |
Next we are going to drop in our docker compose configuration copy all the code in the box below and paste it into line ‘1’ just like the screenshot.
What on earth is a Docker Compose? Docker Compose allows us to define how Docker should set up one or more containers within a single configuration file. This file is yaml formatted and Container Manager uses the Projects feature to manage them.
services:
jellyfin:
image: linuxserver/jellyfin:latest
container_name: jellyfin
environment:
- PUID=1234 #CHANGE_TO_YOUR_UID
- PGID=65432 #CHANGE_TO_YOUR_GID
- TZ=Europe/London #CHANGE_TO_YOUR_TZ
- UMASK=022
- JELLYFIN_PublishedServerUrl=SEE_TABLE_BELOW
volumes:
- /volume1/docker/jellyfin:/config
- /volume1/data/media:/data/media
devices:
- /dev/dri/renderD128:/dev/dri/renderD128
- /dev/dri/card0:/dev/dri/card0
ports:
- 8096:8096/tcp #web port
- 8920:8920/tcp #optional
- 7359:7359/udp #optional
network_mode: synobridge
security_opt:
- no-new-privileges:true
restart: alwaysThe two optional ports in the above can be removed if you will not use them. 7359 is for automated discovery of Jellyfin by the apps, and 8920 is the HTTPS port which is useful if not using the reverse proxy later in the guide.
Environment Variables
We need to make some changes in order for the container to have the correct permissions to save its configuration files and to have access to your media.
| Variable | Value |
|---|---|
| PUID | (required) The UID you obtained in the user setup guide |
| PGID | (required) The GID you obtained in the user setup guide |
| TZ | (required) Your timezone wikipedia.org/wiki/List_of_tz_database_time_zones |
| JELLYFIN_PublishedServerUrl | This will be your NAS IP or if you are going to be accessing via your DDNS address use this. (You can change this later if you wish) |
Volumes
We can now pass through our file paths into the container they are mounted using the volume’s section of the compose file.
I have pre-filled this section to pass the correct paths, the only thing that you may need to change is the /volume1/ if your file paths are on a different volume.
Click ‘Next’
You do not need to enable anything on the ‘Web portal settings’ screen click ‘Next’ again.
On the final screen click ‘Done’ which will begin the download of the container images and once downloaded they will be launched!
The image will now be downloaded and extracted. You should see ‘Code 0’ when it has finished.
You will now see your Jellyfin running and should have a green status on the left-hand side.
Firewall Exceptions
(Skip if you don’t have the Firewall configured)
If you have enabled and configured the Synology Firewall you will need to create exceptions for any containers that have a Web UI or have any incoming or outgoing connections. This section covers the basics of how to add these. (Please note this is a generic section and will not show the specific ports used in this guide however it applies in the same way)
Also, I would like to refer people to the great guide on getting the Firewall correctly configured over on WunderTechs site.
Head into the Control Panel> Security > Firewall, from here click Edit Rules for the profile you set up when you enabled the Firewall.
Next click on Create and you will see the screen below. Source IP and Action will be automatically selected to All and Allow, I will leave it up to you as to your own preference on whether you want to lock down specific Source IPs from having access. In this example we will leave as All.
You will now choose ‘Custom‘ and then the Custom button
Now select Destination from the drop-down menu, most web based containers require TCP access but check the guide as it will show the port and protocol. Then add comma separated ports. Then press OK.
Click OK a couple of times to get back to the main screen. You will see by default the new rule is added to the bottom of the list. You must always have your Block All rule last in the list as the rules are applied top down so move your container up.
You have now completed the Firewall changes and can continue with the guide.
Jellyfin Initial Setup
After a few minutes you should be able to access the server and go through the initial Jellyfin setup by going to the IP of your NAS in your browser followed by port 8096.
e.g. 192.168.0.30:8096
When adding movies or shows they will be located in the /data/media folder.
How to enable Hardware Transcoding
The last steps for initial set up are to enable the hardware transcode features for your NAS.
On the main Jellyfin homescreen, click on the hamburger menu on the top left and then ‘Dashboard’ in the ‘Administration’ section
On the next screen select ‘Playback’ where you will now be able to select from the first drop-down from ‘None’ to ‘Intel QSV Video’
I have removed the video previously shown below and changed into a table – to take into account some feedback and testing completed in our Matrix/Discord server.
Below are the settings you would enable for a Gemini Lake based NAS such as the 920+/720+/420+/220+. You can cross-check between the Synology CPU list and the table on the QSV Wikipedia page as to the hardware functions your NAS supports.
Please note that I have included the items I changed from the default values – e.g. if the default item is turned off, and I turn it on then it appears in the table.
| Setting changed from the default. | Variable to use |
|---|---|
| H264 | Ticked |
| HEVC | Ticked |
| MPEG2 | Ticked |
| VC1 | Ticked |
| VP8 | Ticked |
| VP9 | Ticked |
| HEVC 10bit | Ticked |
| VP9 10bit | Ticked |
| Allow Encoding in HEVC format | Ticked |
| Enable VPP Tone Mapping | Ticked |
| Enable Tone Mapping | Unticked |
Once you have made the required change press ‘Save’ and you are now free to change any other settings you wish in relation to the server, make sure you check out the fantastic documentation from Jellyfin.
Remote Access
If you are going to be using your set-up outside your LAN you will also need to enable the following options to allow access and also to restrict bandwidth
Allow remote connections to this server
Streaming
In order to limit upload bandwidth you can also set an overall limit for streams, this is useful if you or other users will be trying to play back files larger than your upload bandwidth can handle
Part 2 – DDNS, SSL and Reverse Proxy
Before we start, make sure you have registered for a Synology Account as we are going to be using their DDNS service. https://account.synology.com/en-uk/register/
In order to successfully use the reverse proxy you will also need to forward port 443 to you NAS IP. (You will need to check how to do this on your own router) This port is used for secure web traffic.
DDNS (Dynamic Domain Name System)
A DDNS address allows you to get external access to Jellyfin via a subdomain provided by Synology, this is useful on home internet connections where your ISP will change your IP address on a regular basis. (If you already have this set up via another guide you can skip to the Reverse Proxy section)
Note: If you want to access DSM via this new address you will either need to create an additional Reverse Proxy for it or open port 5001 on your router.
In the DSM Control panel go to ‘External Access’ and then to the ‘DDNS’ tab
Click on ‘Add’, then fill out the following sections.
| Section | Value |
|---|---|
| Service Provider | Synology |
| Hostname | This can be anything it will be used to access your NAS externally |
| Email: | Log into your Synology account |
| External Address (IPv4) | This should be filled in automatically |
| External Address (IPv6) | This should be filled in automatically if your ISP is using IPv6 |
| Get a Cert from Let’s Encrypt | Tick this box |
| Enable Heartbeat | Tick this box |
Now press OK, DSM will apply your settings. It can take a few moments to set up and the DSM interface will refresh. You will likely receive a certificate error which you will need to accept to get back into DSM.
You should now test that you can access your Diskstation via the hostname you requested and not receive any SSL errors.
Reverse Proxy
So you don’t have to open up additional ports on your router for Jellyfin we are going to set up a reverse proxy subdomain. This means you and your users can access Jellyfin without using a port number as it will route all traffic through the secure 443 port.
Go back into the Control Panel and access the ‘Login Portal’ then in the ‘Advanced’ tab click ‘Reverse Proxy’ and then click on ‘Create’.
We are now going to enter some rules, so when you or your users access the URL specified the request will automatically be sent to the Jellyfin web UI.
Use the settings below, you will need to amend the Hostname sections in line with the hostname you registered earlier, and the IP of your NAS.
| Setting | Value |
|---|---|
| Reverse Proxy Name: | jellyfin |
| Protocol: | HTTPS |
| Hostname: | jellyfin.xxx.synology.me (change the part after ‘jellyfin.’ to your own hostname you registered earlier. |
| Port: | 443 |
| Protocol: | HTTP |
| Hostname: | Your NAS IP |
| Port: | 8096 |
On the second tab ‘Custom Header’ click on Create then WebSocket, this will add two entries which will force a https connection if you ever try to connect over http, you can now press save.
You should now be able to access the Jellyfin login screen to https://jellyfin.yourhostname it will be a secure connection, and you should have no SSL errors.
You can now log in with the username and password you created earlier, the same address is used in the Android and iPhone apps.
Buy Me a Coffee or a Beer
If you have found my site useful please consider pinging me a tip as it helps cover the cost of running things or just lets me get the odd beverage. Plus 10% goes to the devs of the apps I do guides for every year.
First of all, thank you for all the work you have put into this comprehensive guide! I’m a total newbie when it comes to Docker, but I’m no stranger to tinkering in general.
But I’ve run into a few issues, mainly regarding the reverse proxy setup. I have of course follwed the previous guides, but can’t get it to work accessing Jellyfin outside of my network. Port 443 is open on my router and firewall. But there are a few things I’m a bit unsure of.
1. In the YAML part regarding the “JELLYFIN_PublishedServerUrl”, do I add my DDNS with or without the “jellyfin” part infront of it like “jellyfin.MYNAME.synology.me”?And what about http/https is that needed infront of it all? And what about the port, do I need that as well? I’ve tried all the variations but none of them works.
2. Then when saving the updated YAML settings in Container Manager it asks me if I want to “Only save changes” or “Build and start the project…”. Which one is correct? So far I’ve chosen Only Save Changes as I’m afraid the other options will clear all my Jellyfin settings/libraries…
Hey!
1) You can just include ‘jellyfin.kennenth.synology.me’ in that section
2) Build and Start will save the edits and bring the container back up again, it won’t touch the config of Jellyfin other than the updated URL you specify.
Let me know how you get on, I have a list of FAQ questions to add to the bottom of the guides using DDNS addresses as it seems to be a real pain point for some and sometimes requires a few checks.. Feel free to drop me a note directly via my Help Me! Page in the menu. 🙂
Hi Doc !
Thanks a lot for your multiple guides, very helpful and made me more comfortable with docker-compose and stuff 🙂
I’m here to query your help i’m stuck on a point on this one.
I run the container fine, with PUID and PGID used in other projects, where everything is running smooth.
I can start the configuration of Jellyfin, create a user and select medias, but after that, on login screen, my username is not recognized.
In logs, I have this particular one, seems that the saving of my user is not OK.
[ERR] [18] Jellyfin.Server.Middleware.ExceptionMiddleware: Error processing request: Invalid username or password entered. URL POST /Users/authenticatebyname.
[INF] [18] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for XXXX has been denied (IP: 172.20.0.1).
at Jellyfin.Server.Implementations.Users.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
at Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider.Authenticate(String username, String password, User resolvedUser)
MediaBrowser.Controller.Authentication.AuthenticationException: Invalid username or password
I think it’s permissions somewhere, but I can’t help myself (like Tom Jones).
Can I have some good advices please ? 🙂
Hey I have not seen this before now, has the container successfully created the config files within the docker share etc? Are you connecting via the local IP address or a DDNS/SSL domain name?
Yes all config files are here.
I’m connecting via local IP, from my computer.
Notice that I have a second Jellyfin container running, via the default 8096 port, without HW transcoding, that’s why I created this one, to test the differences.
Sorry have you sorted this yet, what happens if you stop the existing container, you could just add the hardware line to that ones yaml as that is the main difference if its available you may as well add it.
Used these guys for a synology setup for Arr/Jellyfin/Gluetun Docker Container. Now I am reading more about Tailscale. Do you think it’s a good change to switch from Synology QuickConnect to that? And if so was wondering what changes to make before following the Tailscale guide you have.
If you want to keep your various apps offline then 100% Tailscale is a great app to layer in, the less you have exposed to the wild web the more you reduce the possible attack surface. An alternative which I am drafting a guide up for is purely using a WireGuard container to remotely connect back into your network, I am currently testing that out and leave it connected on my phone 24/7 without issues. (Tailscale just as gentle on battery!)
Thanks! I’m looking forwards to it! Also really appreciate the guides. Any thoughts on adding a section on each of those guides on how to migrate from the original setup guide with QuickConnect to make the changes needed to get those to work instead?
Hey apologies your comment dropped into spam! – So from a quick connect basis you just need to turn that off and then any apps you use etc will just be available via the original NAS IP, you can really get deep in with Tailscale and setup SSL and specific addresses for apps but its kind of out of scope of this guide.
I will try and carve some time out to get something around internal SSL/addresses in place.
Is there a way to determine if hardware transcoding is working?
Yes, check the Admin Dashboard when playing something, on your end device change the resolution to force a transcode. It will tell you in the Dashboard what is happening 🙂
It just shows transcoding. Doesn’t show if software or hardware. Seems too slow for hardware.
Sorry had Plex on the mind!
Go to the Logs, and it will have one for the transcode taking place. It should have lines relating to /usr/lib/jellyfin-ffmpeg/ffmpeg -analyzeduration 200M -ss 00:16:48.000 -init_hw_device
Then a part the says `-hwaccel_output_format vaapi` which signifies what is being used for the encode.
Thanks!!
There’s an error in this document. On your summary image near this paragraph: “On the final screen click ‘Done’ which will begin the download of the container images and once downloaded they will be launched!”
the Path is pointing to `/docker/projects/jellyfin` however in your previous screenshot you instruct the user (and in the image) to use the path `/docker/projects/jellyfin-compose`. This is near the text: “In the next screen we will set up our General Settings, enter the following:”
Which is the right one?
Good spot – I must of missed updating the final image I will fix that now.
It’s the path as described in the first part and image. /docker/projects/jellyfin-compose
To be fair both work its just consistency from a guide perspective.