aboutsummaryrefslogtreecommitdiff
path: root/debian/conf/jellyfin.service.conf
diff options
context:
space:
mode:
Diffstat (limited to 'debian/conf/jellyfin.service.conf')
-rw-r--r--debian/conf/jellyfin.service.conf55
1 files changed, 55 insertions, 0 deletions
diff --git a/debian/conf/jellyfin.service.conf b/debian/conf/jellyfin.service.conf
new file mode 100644
index 0000000..1f92d7d
--- /dev/null
+++ b/debian/conf/jellyfin.service.conf
@@ -0,0 +1,55 @@
+# Jellyfin systemd configuration options
+
+# Use this file to override the user or environment file location.
+
+[Service]
+# Alter the user that Jellyfin runs as
+#User = jellyfin
+
+# Alter where environment variables are sourced from
+#EnvironmentFile = /etc/default/jellyfin
+
+# Service hardening options
+# These were added in PR #6953 to solve issue #6952, but some combination of
+# them causes "restart.sh" functionality to break with the following error:
+# sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the
+# 'nosuid' option set or an NFS file system without root privileges?
+# See issue #7503 for details on the troubleshooting that went into this.
+# Since these were added for NixOS specifically and are above and beyond
+# what 99% of systemd units do, they have been moved here as optional
+# additional flags to set for maximum system security and can be enabled at
+# the administrator's or package maintainer's discretion.
+# Uncomment these only if you know what you're doing, and doing so may cause
+# bugs with in-server Restart and potentially other functionality as well.
+#NoNewPrivileges=true
+#SystemCallArchitectures=native
+#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+#RestrictNamespaces=false
+#RestrictRealtime=true
+#RestrictSUIDSGID=true
+#ProtectControlGroups=false
+#ProtectHostname=true
+#ProtectKernelLogs=false
+#ProtectKernelModules=false
+#ProtectKernelTunables=false
+#LockPersonality=true
+#PrivateTmp=false
+#PrivateDevices=false
+#PrivateUsers=true
+#RemoveIPC=true
+#SystemCallFilter=~@clock
+#SystemCallFilter=~@aio
+#SystemCallFilter=~@chown
+#SystemCallFilter=~@cpu-emulation
+#SystemCallFilter=~@debug
+#SystemCallFilter=~@keyring
+#SystemCallFilter=~@memlock
+#SystemCallFilter=~@module
+#SystemCallFilter=~@mount
+#SystemCallFilter=~@obsolete
+#SystemCallFilter=~@privileged
+#SystemCallFilter=~@raw-io
+#SystemCallFilter=~@reboot
+#SystemCallFilter=~@setuid
+#SystemCallFilter=~@swap
+#SystemCallErrorNumber=EPERM
bgstack15