mirror of
https://github.com/jellyfin/jellyfin.git
synced 2024-09-05 21:37:10 -04:00
874fcaba69
Some combination of these options were causing problems with the functionality of restart.sh as described in the comment and in detail in issue #7503. While these seem OK on their face, the implications of this breaking restart.sh means that they could potentially break other things too. Thus, we should move these into the optional override file which is in the administrator's full control, instead of in the default unit, and leave them off unless a user or package maintainer (e.g. NixOS as described in the original issue #6952) wants to enable them. Fixes #7503
56 lines
1.9 KiB
Plaintext
56 lines
1.9 KiB
Plaintext
# Jellyfin systemd configuration options
|
|
|
|
# Use this file to override the user or environment file location.
|
|
|
|
[Service]
|
|
# Alter the user that Jellyfin runs as
|
|
#User = jellyfin
|
|
|
|
# Alter where environment variables are sourced from
|
|
#EnvironmentFile = /etc/default/jellyfin
|
|
|
|
# Service hardening options
|
|
# These were added in PR #6953 to solve issue #6952, but some combination of
|
|
# them causes "restart.sh" functionality to break with the following error:
|
|
# sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the
|
|
# 'nosuid' option set or an NFS file system without root privileges?
|
|
# See issue #7503 for details on the troubleshooting that went into this.
|
|
# Since these were added for NixOS specifically and are above and beyond
|
|
# what 99% of systemd units do, they have been moved here as optional
|
|
# additional flags to set for maximum system security and can be enabled at
|
|
# the administrator's or package maintainer's discretion.
|
|
# Uncomment these only if you know what you're doing, and doing so may cause
|
|
# bugs with in-server Restart and potentially other functionality as well.
|
|
#NoNewPrivileges=true
|
|
#SystemCallArchitectures=native
|
|
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
|
#RestrictNamespaces=false
|
|
#RestrictRealtime=true
|
|
#RestrictSUIDSGID=true
|
|
#ProtectControlGroups=false
|
|
#ProtectHostname=true
|
|
#ProtectKernelLogs=false
|
|
#ProtectKernelModules=false
|
|
#ProtectKernelTunables=false
|
|
#LockPersonality=true
|
|
#PrivateTmp=false
|
|
#PrivateDevices=false
|
|
#PrivateUsers=true
|
|
#RemoveIPC=true
|
|
#SystemCallFilter=~@clock
|
|
#SystemCallFilter=~@aio
|
|
#SystemCallFilter=~@chown
|
|
#SystemCallFilter=~@cpu-emulation
|
|
#SystemCallFilter=~@debug
|
|
#SystemCallFilter=~@keyring
|
|
#SystemCallFilter=~@memlock
|
|
#SystemCallFilter=~@module
|
|
#SystemCallFilter=~@mount
|
|
#SystemCallFilter=~@obsolete
|
|
#SystemCallFilter=~@privileged
|
|
#SystemCallFilter=~@raw-io
|
|
#SystemCallFilter=~@reboot
|
|
#SystemCallFilter=~@setuid
|
|
#SystemCallFilter=~@swap
|
|
#SystemCallErrorNumber=EPERM
|