diff options
author | Minijackson <minijackson@riseup.net> | 2020-09-17 21:10:44 +0200 |
---|---|---|
committer | Minijackson <minijackson@riseup.net> | 2020-10-20 21:09:28 +0200 |
commit | 4e51247318f1f28d79d0f85e26ddbe17918c97e4 (patch) | |
tree | b177e47f7bbb1900d1899cafc7c773d47a84eefe | |
parent | 5c84d57a592ad3a955a8c03240459c78568efe81 (diff) | |
download | nixpkgs-4e51247318f1f28d79d0f85e26ddbe17918c97e4.tar nixpkgs-4e51247318f1f28d79d0f85e26ddbe17918c97e4.tar.gz nixpkgs-4e51247318f1f28d79d0f85e26ddbe17918c97e4.tar.bz2 nixpkgs-4e51247318f1f28d79d0f85e26ddbe17918c97e4.tar.lz nixpkgs-4e51247318f1f28d79d0f85e26ddbe17918c97e4.tar.xz nixpkgs-4e51247318f1f28d79d0f85e26ddbe17918c97e4.tar.zst nixpkgs-4e51247318f1f28d79d0f85e26ddbe17918c97e4.zip |
nixos/jellyfin: add some systemd security options
-rw-r--r-- | nixos/modules/services/misc/jellyfin.nix | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index 0493dadea94..6a47dc3628f 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -45,6 +45,46 @@ in CacheDirectory = "jellyfin"; ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; Restart = "on-failure"; + + # Security options: + + NoNewPrivileges = true; + + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + + LockPersonality = true; + + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + + RemoveIPC = true; + + RestrictNamespaces = true; + # AF_NETLINK needed because Jellyfin monitors the network connection + RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ]; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ + "@system-service" + + "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@module" + "~@obsolete" "~@privileged" "~@setuid" + ]; }; }; |