| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849 |
- [Unit]
- Description = Jellyfin Media Server
- After = network-online.target
- [Service]
- Type = simple
- EnvironmentFile = /etc/default/jellyfin
- User = jellyfin
- ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELLYFIN_FFMPEG_OPT} ${JELLYFIN_SERVICE_OPT} ${JELLYFIN_NOWEBAPP_OPT} ${JELLYFIN_ADDITIONAL_OPTS}
- Restart = on-failure
- TimeoutSec = 15
- NoNewPrivileges=true
- SystemCallArchitectures=native
- RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
- RestrictNamespaces=true
- RestrictRealtime=true
- RestrictSUIDSGID=true
- ProtectClock=true
- ProtectControlGroups=true
- ProtectHostname=true
- ProtectKernelLogs=true
- ProtectKernelModules=true
- ProtectKernelTunables=true
- LockPersonality=true
- PrivateTmp=true
- PrivateDevices=false
- PrivateUsers=true
- RemoveIPC=true
- SystemCallFilter=~@clock
- SystemCallFilter=~@aio
- SystemCallFilter=~@chown
- SystemCallFilter=~@cpu-emulation
- SystemCallFilter=~@debug
- SystemCallFilter=~@keyring
- SystemCallFilter=~@memlock
- SystemCallFilter=~@module
- SystemCallFilter=~@mount
- SystemCallFilter=~@obsolete
- SystemCallFilter=~@privileged
- SystemCallFilter=~@raw-io
- SystemCallFilter=~@reboot
- SystemCallFilter=~@setuid
- SystemCallFilter=~@swap
- SystemCallErrorNumber=EPERM
- [Install]
- WantedBy = multi-user.target
|
