diff options
| author | Mx Kookie <kookie@spacekookie.de> | 2020-12-09 18:55:19 +0000 |
|---|---|---|
| committer | Mx Kookie <kookie@spacekookie.de> | 2020-12-09 18:55:19 +0000 |
| commit | 80d90d9b204f7c17912740f9f414fe5d59f293ba (patch) | |
| tree | 5f2065a06e724270610760d59d01c6888b375a46 /infra/libkookie/nixpkgs/nixos/modules/services/misc/jellyfin.nix | |
| parent | 3a31a84c7d3e589035ad08499206aac44a81f424 (diff) | |
| parent | 83cbad92d73216bb0d9187c56cce0b91f9121d5a (diff) | |
Merge commit '83cbad92d73216bb0d9187c56cce0b91f9121d5a' into main
Diffstat (limited to 'infra/libkookie/nixpkgs/nixos/modules/services/misc/jellyfin.nix')
| -rw-r--r-- | infra/libkookie/nixpkgs/nixos/modules/services/misc/jellyfin.nix | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/infra/libkookie/nixpkgs/nixos/modules/services/misc/jellyfin.nix b/infra/libkookie/nixpkgs/nixos/modules/services/misc/jellyfin.nix index 0493dadea94e..6a47dc3628f4 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/services/misc/jellyfin.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/services/misc/jellyfin.nix @@ -45,6 +45,46 @@ in CacheDirectory = "jellyfin"; ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; Restart = "on-failure"; + + # Security options: + + NoNewPrivileges = true; + + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + + LockPersonality = true; + + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + + RemoveIPC = true; + + RestrictNamespaces = true; + # AF_NETLINK needed because Jellyfin monitors the network connection + RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ]; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ + "@system-service" + + "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@module" + "~@obsolete" "~@privileged" "~@setuid" + ]; }; }; |