diff options
| -rw-r--r-- | debian/conf/jellyfin | 2 | ||||
| -rw-r--r-- | debian/jellyfin.service | 16 | ||||
| -rw-r--r-- | fedora/jellyfin.service | 56 |
3 files changed, 57 insertions, 17 deletions
diff --git a/debian/conf/jellyfin b/debian/conf/jellyfin index ab8d5d1d4..2f0630a9c 100644 --- a/debian/conf/jellyfin +++ b/debian/conf/jellyfin @@ -44,6 +44,8 @@ JELLYFIN_ADDITIONAL_OPTS="" # # SysV init/Upstart options # +# Note: These options are ignored by systemd; use /etc/systemd/system/jellyfin.d overrides instead. +# # Application username JELLYFIN_USER="jellyfin" diff --git a/debian/jellyfin.service b/debian/jellyfin.service index b86f40473..064e10537 100644 --- a/debian/jellyfin.service +++ b/debian/jellyfin.service @@ -6,23 +6,26 @@ After = network-online.target Type = simple EnvironmentFile = /etc/default/jellyfin User = jellyfin +Group = jellyfin +WorkingDirectory = /var/lib/jellyfin ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELLYFIN_FFMPEG_OPT} ${JELLYFIN_SERVICE_OPT} ${JELLYFIN_NOWEBAPP_OPT} ${JELLYFIN_ADDITIONAL_OPTS} Restart = on-failure TimeoutSec = 15 +SuccessExitStatus=0 143 NoNewPrivileges=true SystemCallArchitectures=native RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=true +RestrictNamespaces=false RestrictRealtime=true RestrictSUIDSGID=true -ProtectControlGroups=true +ProtectControlGroups=false ProtectHostname=true -ProtectKernelLogs=true -ProtectKernelModules=true -ProtectKernelTunables=true +ProtectKernelLogs=false +ProtectKernelModules=false +ProtectKernelTunables=false LockPersonality=true -PrivateTmp=true +PrivateTmp=false PrivateDevices=false PrivateUsers=true RemoveIPC=true @@ -43,6 +46,5 @@ SystemCallFilter=~@setuid SystemCallFilter=~@swap SystemCallErrorNumber=EPERM - [Install] WantedBy = multi-user.target diff --git a/fedora/jellyfin.service b/fedora/jellyfin.service index f706b0ad3..1193ddb5b 100644 --- a/fedora/jellyfin.service +++ b/fedora/jellyfin.service @@ -1,15 +1,51 @@ [Unit] -After=network-online.target -Description=Jellyfin is a free software media system that puts you in control of managing and streaming your media. +Description = Jellyfin Media Server +After = network-online.target [Service] -EnvironmentFile=/etc/sysconfig/jellyfin -WorkingDirectory=/var/lib/jellyfin -ExecStart=/usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELLYFIN_FFMPEG_OPT} ${JELLYFIN_SERVICE_OPT} ${JELLYFIN_NOWEBAPP_OPT} -TimeoutSec=15 -Restart=on-failure -User=jellyfin -Group=jellyfin +Type = simple +EnvironmentFile = /etc/sysconfig/jellyfin +User = jellyfin +Group = jellyfin +WorkingDirectory = /var/lib/jellyfin +ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELLYFIN_FFMPEG_OPT} ${JELLYFIN_SERVICE_OPT} ${JELLYFIN_NOWEBAPP_OPT} ${JELLYFIN_ADDITIONAL_OPTS} +Restart = on-failure +TimeoutSec = 15 +SuccessExitStatus=0 143 + +NoNewPrivileges=true +SystemCallArchitectures=native +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=false +RestrictRealtime=true +RestrictSUIDSGID=true +ProtectClock=true +ProtectControlGroups=false +ProtectHostname=true +ProtectKernelLogs=false +ProtectKernelModules=false +ProtectKernelTunables=false +LockPersonality=true +PrivateTmp=false +PrivateDevices=false +PrivateUsers=true +RemoveIPC=true +SystemCallFilter=~@clock +SystemCallFilter=~@aio +SystemCallFilter=~@chown +SystemCallFilter=~@cpu-emulation +SystemCallFilter=~@debug +SystemCallFilter=~@keyring +SystemCallFilter=~@memlock +SystemCallFilter=~@module +SystemCallFilter=~@mount +SystemCallFilter=~@obsolete +SystemCallFilter=~@privileged +SystemCallFilter=~@raw-io +SystemCallFilter=~@reboot +SystemCallFilter=~@setuid +SystemCallFilter=~@swap +SystemCallErrorNumber=EPERM [Install] -WantedBy=multi-user.target +WantedBy = multi-user.target |