summary refs log tree commit diff
diff options
context:
space:
mode:
authorMinijackson <minijackson@riseup.net>2020-09-17 21:10:44 +0200
committerMinijackson <minijackson@riseup.net>2020-10-20 21:09:28 +0200
commit4e51247318f1f28d79d0f85e26ddbe17918c97e4 (patch)
treeb177e47f7bbb1900d1899cafc7c773d47a84eefe
parent5c84d57a592ad3a955a8c03240459c78568efe81 (diff)
downloadnixpkgs-4e51247318f1f28d79d0f85e26ddbe17918c97e4.tar
nixpkgs-4e51247318f1f28d79d0f85e26ddbe17918c97e4.tar.gz
nixpkgs-4e51247318f1f28d79d0f85e26ddbe17918c97e4.tar.bz2
nixpkgs-4e51247318f1f28d79d0f85e26ddbe17918c97e4.tar.lz
nixpkgs-4e51247318f1f28d79d0f85e26ddbe17918c97e4.tar.xz
nixpkgs-4e51247318f1f28d79d0f85e26ddbe17918c97e4.tar.zst
nixpkgs-4e51247318f1f28d79d0f85e26ddbe17918c97e4.zip
nixos/jellyfin: add some systemd security options
Diffstat
-rw-r--r--nixos/modules/services/misc/jellyfin.nix40


1 files changed, 40 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix
index 0493dadea94..6a47dc3628f 100644
--- a/nixos/modules/services/misc/jellyfin.nix
+++ b/nixos/modules/services/misc/jellyfin.nix
@@ -45,6 +45,46 @@ in
         CacheDirectory = "jellyfin";
         ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'";
         Restart = "on-failure";
+
+        # Security options:
+
+        NoNewPrivileges = true;
+
+        AmbientCapabilities = "";
+        CapabilityBoundingSet = "";
+
+        # ProtectClock= adds DeviceAllow=char-rtc r
+        DeviceAllow = "";
+
+        LockPersonality = true;
+
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+
+        RemoveIPC = true;
+
+        RestrictNamespaces = true;
+        # AF_NETLINK needed because Jellyfin monitors the network connection
+        RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ];
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+
+        SystemCallArchitectures = "native";
+        SystemCallErrorNumber = "EPERM";
+        SystemCallFilter = [
+          "@system-service"
+
+          "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@module"
+          "~@obsolete" "~@privileged" "~@setuid"
+        ];
       };
     };
 

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-04 04:45:47 +0000