Merge pull request #98176 from minijackson/jellyfin-systemd-security

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/jellyfin: add some systemd security options

authored by

Kevin Cox and committed by

GitHub 5 years ago e25cd782 7d9979ec

+40

1 changed file

expand all

nixos

modules

services

misc

jellyfin.nix

+40

nixos/modules/services/misc/jellyfin.nix

··· 45 45 CacheDirectory = "jellyfin"; 46 46 ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; 47 47 Restart = "on-failure"; 48 + 49 + # Security options: 50 + 51 + NoNewPrivileges = true; 52 + 53 + AmbientCapabilities = ""; 54 + CapabilityBoundingSet = ""; 55 + 56 + # ProtectClock= adds DeviceAllow=char-rtc r 57 + DeviceAllow = ""; 58 + 59 + LockPersonality = true; 60 + 61 + PrivateTmp = true; 62 + PrivateDevices = true; 63 + PrivateUsers = true; 64 + 65 + ProtectClock = true; 66 + ProtectControlGroups = true; 67 + ProtectHostname = true; 68 + ProtectKernelLogs = true; 69 + ProtectKernelModules = true; 70 + ProtectKernelTunables = true; 71 + 72 + RemoveIPC = true; 73 + 74 + RestrictNamespaces = true; 75 + # AF_NETLINK needed because Jellyfin monitors the network connection 76 + RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ]; 77 + RestrictRealtime = true; 78 + RestrictSUIDSGID = true; 79 + 80 + SystemCallArchitectures = "native"; 81 + SystemCallErrorNumber = "EPERM"; 82 + SystemCallFilter = [ 83 + "@system-service" 84 + 85 + "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@module" 86 + "~@obsolete" "~@privileged" "~@setuid" 87 + ]; 48 88 }; 49 89 }; 50 90