commit e25cd7827e8ba24d50bdc9e69b63d8239099ec6d · pyrox.dev/nixpkgs

+40
nixos/modules/services/misc/jellyfin.nix
···

       45
       45
        
               CacheDirectory = "jellyfin";

     

       46
       46
        
               ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'";

     

       47
       47
        
               Restart = "on-failure";

     

       48
       48
       +
       

     

       49
       49
       +
               # Security options:

     

       50
       50
       +
       

     

       51
       51
       +
               NoNewPrivileges = true;

     

       52
       52
       +
       

     

       53
       53
       +
               AmbientCapabilities = "";

     

       54
       54
       +
               CapabilityBoundingSet = "";

     

       55
       55
       +
       

     

       56
       56
       +
               # ProtectClock= adds DeviceAllow=char-rtc r

     

       57
       57
       +
               DeviceAllow = "";

     

       58
       58
       +
       

     

       59
       59
       +
               LockPersonality = true;

     

       60
       60
       +
       

     

       61
       61
       +
               PrivateTmp = true;

     

       62
       62
       +
               PrivateDevices = true;

     

       63
       63
       +
               PrivateUsers = true;

     

       64
       64
       +
       

     

       65
       65
       +
               ProtectClock = true;

     

       66
       66
       +
               ProtectControlGroups = true;

     

       67
       67
       +
               ProtectHostname = true;

     

       68
       68
       +
               ProtectKernelLogs = true;

     

       69
       69
       +
               ProtectKernelModules = true;

     

       70
       70
       +
               ProtectKernelTunables = true;

     

       71
       71
       +
       

     

       72
       72
       +
               RemoveIPC = true;

     

       73
       73
       +
       

     

       74
       74
       +
               RestrictNamespaces = true;

     

       75
       75
       +
               # AF_NETLINK needed because Jellyfin monitors the network connection

     

       76
       76
       +
               RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ];

     

       77
       77
       +
               RestrictRealtime = true;

     

       78
       78
       +
               RestrictSUIDSGID = true;

     

       79
       79
       +
       

     

       80
       80
       +
               SystemCallArchitectures = "native";

     

       81
       81
       +
               SystemCallErrorNumber = "EPERM";

     

       82
       82
       +
               SystemCallFilter = [

     

       83
       83
       +
                 "@system-service"

     

       84
       84
       +
       

     

       85
       85
       +
                 "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@module"

     

       86
       86
       +
                 "~@obsolete" "~@privileged" "~@setuid"

     

       87
       87
       +
               ];

     

       48
       88
        
             };

     

       49
       89
        
           };

     

       50
       90