diff options
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/changelog | 6 | ||||
| -rw-r--r-- | debian/conf/jellyfin-sudoers | 4 | ||||
| -rw-r--r-- | debian/conf/jellyfin.service.conf | 48 | ||||
| -rw-r--r-- | debian/jellyfin.service | 33 | ||||
| -rw-r--r-- | debian/metapackage/jellyfin | 2 | ||||
| -rwxr-xr-x | debian/rules | 2 |
6 files changed, 56 insertions, 39 deletions
diff --git a/debian/changelog b/debian/changelog index 430594cac..0d744c02a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +jellyfin-server (10.9.0-1) unstable; urgency=medium + + * New upstream version 10.9.0; release changelog at https://github.com/jellyfin/jellyfin/releases/tag/v10.9.0 + + -- Jellyfin Packaging Team <packaging@jellyfin.org> Wed, 13 Jul 2022 20:58:08 -0600 + jellyfin-server (10.8.0-1) unstable; urgency=medium * Forthcoming stable release diff --git a/debian/conf/jellyfin-sudoers b/debian/conf/jellyfin-sudoers index f84e7454f..795fd17e8 100644 --- a/debian/conf/jellyfin-sudoers +++ b/debian/conf/jellyfin-sudoers @@ -30,8 +30,4 @@ Defaults!RESTARTSERVER_INITD !requiretty Defaults!STARTSERVER_INITD !requiretty Defaults!STOPSERVER_INITD !requiretty -#Allow the server to mount iso images -jellyfin ALL=(ALL) NOPASSWD: /bin/mount -jellyfin ALL=(ALL) NOPASSWD: /bin/umount - Defaults:jellyfin !requiretty diff --git a/debian/conf/jellyfin.service.conf b/debian/conf/jellyfin.service.conf index 1b69dd74e..1f92d7d94 100644 --- a/debian/conf/jellyfin.service.conf +++ b/debian/conf/jellyfin.service.conf @@ -3,5 +3,53 @@ # Use this file to override the user or environment file location. [Service] +# Alter the user that Jellyfin runs as #User = jellyfin + +# Alter where environment variables are sourced from #EnvironmentFile = /etc/default/jellyfin + +# Service hardening options +# These were added in PR #6953 to solve issue #6952, but some combination of +# them causes "restart.sh" functionality to break with the following error: +# sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the +# 'nosuid' option set or an NFS file system without root privileges? +# See issue #7503 for details on the troubleshooting that went into this. +# Since these were added for NixOS specifically and are above and beyond +# what 99% of systemd units do, they have been moved here as optional +# additional flags to set for maximum system security and can be enabled at +# the administrator's or package maintainer's discretion. +# Uncomment these only if you know what you're doing, and doing so may cause +# bugs with in-server Restart and potentially other functionality as well. +#NoNewPrivileges=true +#SystemCallArchitectures=native +#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +#RestrictNamespaces=false +#RestrictRealtime=true +#RestrictSUIDSGID=true +#ProtectControlGroups=false +#ProtectHostname=true +#ProtectKernelLogs=false +#ProtectKernelModules=false +#ProtectKernelTunables=false +#LockPersonality=true +#PrivateTmp=false +#PrivateDevices=false +#PrivateUsers=true +#RemoveIPC=true +#SystemCallFilter=~@clock +#SystemCallFilter=~@aio +#SystemCallFilter=~@chown +#SystemCallFilter=~@cpu-emulation +#SystemCallFilter=~@debug +#SystemCallFilter=~@keyring +#SystemCallFilter=~@memlock +#SystemCallFilter=~@module +#SystemCallFilter=~@mount +#SystemCallFilter=~@obsolete +#SystemCallFilter=~@privileged +#SystemCallFilter=~@raw-io +#SystemCallFilter=~@reboot +#SystemCallFilter=~@setuid +#SystemCallFilter=~@swap +#SystemCallErrorNumber=EPERM diff --git a/debian/jellyfin.service b/debian/jellyfin.service index 064e10537..2f97c4654 100644 --- a/debian/jellyfin.service +++ b/debian/jellyfin.service @@ -13,38 +13,5 @@ Restart = on-failure TimeoutSec = 15 SuccessExitStatus=0 143 -NoNewPrivileges=true -SystemCallArchitectures=native -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=false -RestrictRealtime=true -RestrictSUIDSGID=true -ProtectControlGroups=false -ProtectHostname=true -ProtectKernelLogs=false -ProtectKernelModules=false -ProtectKernelTunables=false -LockPersonality=true -PrivateTmp=false -PrivateDevices=false -PrivateUsers=true -RemoveIPC=true -SystemCallFilter=~@clock -SystemCallFilter=~@aio -SystemCallFilter=~@chown -SystemCallFilter=~@cpu-emulation -SystemCallFilter=~@debug -SystemCallFilter=~@keyring -SystemCallFilter=~@memlock -SystemCallFilter=~@module -SystemCallFilter=~@mount -SystemCallFilter=~@obsolete -SystemCallFilter=~@privileged -SystemCallFilter=~@raw-io -SystemCallFilter=~@reboot -SystemCallFilter=~@setuid -SystemCallFilter=~@swap -SystemCallErrorNumber=EPERM - [Install] WantedBy = multi-user.target diff --git a/debian/metapackage/jellyfin b/debian/metapackage/jellyfin index a9a0ae5b0..8787c3a49 100644 --- a/debian/metapackage/jellyfin +++ b/debian/metapackage/jellyfin @@ -5,7 +5,7 @@ Homepage: https://jellyfin.org Standards-Version: 3.9.2 Package: jellyfin -Version: 10.8.0 +Version: 10.9.0 Maintainer: Jellyfin Packaging Team <packaging@jellyfin.org> Depends: jellyfin-server, jellyfin-web Description: Provides the Jellyfin Free Software Media System diff --git a/debian/rules b/debian/rules index 64e2b48ea..f55b1807e 100755 --- a/debian/rules +++ b/debian/rules @@ -40,7 +40,7 @@ override_dh_clistrip: override_dh_auto_build: dotnet publish -maxcpucount:1 --configuration $(CONFIG) --output='$(CURDIR)/usr/lib/jellyfin/bin' --self-contained --runtime $(DOTNETRUNTIME) \ - "-p:DebugSymbols=false;DebugType=none" Jellyfin.Server + -p:DebugSymbols=false -p:DebugType=none Jellyfin.Server override_dh_auto_clean: dotnet clean -maxcpucount:1 --configuration $(CONFIG) Jellyfin.Server || true |