[Unit] Description = Jellyfin Media Server After = network-online.target [Service] Type = simple EnvironmentFile = /etc/sysconfig/jellyfin User = jellyfin Group = jellyfin WorkingDirectory = /var/lib/jellyfin ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELLYFIN_FFMPEG_OPT} ${JELLYFIN_SERVICE_OPT} ${JELLYFIN_NOWEBAPP_OPT} ${JELLYFIN_ADDITIONAL_OPTS} Restart = on-failure TimeoutSec = 15 SuccessExitStatus=0 143 NoNewPrivileges=true SystemCallArchitectures=native RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK RestrictNamespaces=false RestrictRealtime=true RestrictSUIDSGID=true #ProtectClock=true #blocks video hardware acceleration ProtectControlGroups=false ProtectHostname=true ProtectKernelLogs=false ProtectKernelModules=false ProtectKernelTunables=false LockPersonality=true PrivateTmp=false PrivateDevices=false PrivateUsers=true RemoveIPC=true SystemCallFilter=~@clock SystemCallFilter=~@aio SystemCallFilter=~@chown SystemCallFilter=~@cpu-emulation SystemCallFilter=~@debug SystemCallFilter=~@keyring SystemCallFilter=~@memlock SystemCallFilter=~@module SystemCallFilter=~@mount SystemCallFilter=~@obsolete SystemCallFilter=~@privileged SystemCallFilter=~@raw-io SystemCallFilter=~@reboot SystemCallFilter=~@setuid SystemCallFilter=~@swap SystemCallErrorNumber=EPERM [Install] WantedBy = multi-user.target