Skip to content

Emby

Emby is a media server available at emby.hdhomelab.com. It runs alongside Jellyfin on worker-0a, sharing the same NAS media library, with active Intel GPU access for hardware transcoding.

Deployment

Emby runs in Kubernetes (media namespace) as a single-replica Deployment. It serves media and photography libraries from NAS NFS volumes.

graph LR
    User -->|HTTPS| Gateway[Cilium Gateway]
    Gateway --> Emby[Emby :8096]
    Emby -->|media| MediaNFS[(NAS /volume1/media)]
    Emby -->|photography| PhotoNFS[(NAS /volume1/photography)]
    Emby -->|config| LocalPVC[local-path PVC]
    CronJob[Hourly CronJob] -->|rsync| LocalPVC
    CronJob -->|backup| NFS[(NAS backup PVC)]
    GPU[Intel GPU\nworker-0a] -->|i915| Emby
Hold "Alt" / "Option" to enable pan & zoom

  • URL

    emby.hdhomelab.com

  • Namespace

    media

  • Image

    emby/embyserver

  • Node

    Pinned to worker-0a (Intel GPU)

  • :material-gpu: GPU

    gpu.intel.com/i915: 1 — hardware transcoding active

  • Storage

    local-path config + NAS media + photography volumes

  • Config

    flux/apps/noah/media/emby/

Storage & Backup

Config uses local-path (SQLite performance) with an hourly rsync CronJob to NFS — see SQLite on Local Path for the pattern details and migration procedure.

Volume PVC Storage class Purpose
/config emby-config local-path Database and metadata
/media emby-media syno-nfs-retain Shared NAS media library
/photography emby-photography syno-nfs-retain NAS photography library

Shared media volume

Jellyfin and Emby share the same emby-media PVC (/volume1/media on the NAS).

Force a manual backup
kubectl create job --from=cronjob/emby-config-backup emby-config-backup-manual -n media

GPU & Security Context

Emby uses Intel Quick Sync for hardware transcoding. The container starts as root (required by the s6-overlay init system) and drops privileges to UID 1034 / GID 100 after startup.

Resource Value
gpu.intel.com/i915 request / limit 1 / 1
Supplemental groups 44, 39, 104, 109 (video/render)
Setting Value
runAsUser 0 (root — s6-overlay requirement)
runAsNonRoot false
allowPrivilegeEscalation false
UID / GID (env) 1034 / 100

Runs as root briefly

s6-overlay requires root at startup to initialise the runtime environment, then drops to UID 1034 / GID 100. allowPrivilegeEscalation: false limits the blast radius.

Client IP Logging

Real client IPs are logged automatically — no app-level configuration needed. The fix is at the network layer: the router forwards directly to Traefik's macvlan IP, bypassing Docker's userland proxy. See Client IP Preservation.

Key Configuration

Setting Value
TZ America/New_York
GIDLIST 44,39,104,109 (GPU device access)
CPU request / limit 2 / 4
Memory request / limit 3 GiB / 8 GiB

Hardware transcoding

GPU access is already provisioned. Enable it in Emby under Dashboard → Playback → Hardware acceleration → Intel Quick Sync Video (QSV).