2 files changed, 11 insertions, 7 deletions

diff --git a/debian/conf/jellyfin b/debian/conf/jellyfin
index ab8d5d1d4d..2f0630a9ce 100644
--- a/debian/conf/jellyfin
+++ b/debian/conf/jellyfin
@@ -44,6 +44,8 @@ JELLYFIN_ADDITIONAL_OPTS=""
 #
 # SysV init/Upstart options
 #
+# Note: These options are ignored by systemd; use /etc/systemd/system/jellyfin.d overrides instead.
+#
 
 # Application username
 JELLYFIN_USER="jellyfin"
diff --git a/debian/jellyfin.service b/debian/jellyfin.service
index b86f40473a..064e105373 100644
--- a/debian/jellyfin.service
+++ b/debian/jellyfin.service
@@ -6,23 +6,26 @@ After = network-online.target
 Type = simple
 EnvironmentFile = /etc/default/jellyfin
 User = jellyfin
+Group = jellyfin
+WorkingDirectory = /var/lib/jellyfin
 ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELLYFIN_FFMPEG_OPT} ${JELLYFIN_SERVICE_OPT} ${JELLYFIN_NOWEBAPP_OPT} ${JELLYFIN_ADDITIONAL_OPTS}
 Restart = on-failure
 TimeoutSec = 15
+SuccessExitStatus=0 143
 
 NoNewPrivileges=true
 SystemCallArchitectures=native
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
-RestrictNamespaces=true
+RestrictNamespaces=false
 RestrictRealtime=true
 RestrictSUIDSGID=true
-ProtectControlGroups=true
+ProtectControlGroups=false
 ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelModules=true
-ProtectKernelTunables=true
+ProtectKernelLogs=false
+ProtectKernelModules=false
+ProtectKernelTunables=false
 LockPersonality=true
-PrivateTmp=true
+PrivateTmp=false
 PrivateDevices=false
 PrivateUsers=true
 RemoveIPC=true
@@ -43,6 +46,5 @@ SystemCallFilter=~@setuid
 SystemCallFilter=~@swap
 SystemCallErrorNumber=EPERM
 
-
 [Install]
 WantedBy = multi-user.target