Merge pull request #7887 from joshuaboniface/fix-restart.sh
(cherry picked from commit 294ab0757e
)
Signed-off-by: Joshua Boniface <joshua@boniface.me>
This commit is contained in:
parent
1ee1a05fc7
commit
669855e686
48
debian/conf/jellyfin.service.conf
vendored
48
debian/conf/jellyfin.service.conf
vendored
|
@ -3,5 +3,53 @@
|
|||
# Use this file to override the user or environment file location.
|
||||
|
||||
[Service]
|
||||
# Alter the user that Jellyfin runs as
|
||||
#User = jellyfin
|
||||
|
||||
# Alter where environment variables are sourced from
|
||||
#EnvironmentFile = /etc/default/jellyfin
|
||||
|
||||
# Service hardening options
|
||||
# These were added in PR #6953 to solve issue #6952, but some combination of
|
||||
# them causes "restart.sh" functionality to break with the following error:
|
||||
# sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the
|
||||
# 'nosuid' option set or an NFS file system without root privileges?
|
||||
# See issue #7503 for details on the troubleshooting that went into this.
|
||||
# Since these were added for NixOS specifically and are above and beyond
|
||||
# what 99% of systemd units do, they have been moved here as optional
|
||||
# additional flags to set for maximum system security and can be enabled at
|
||||
# the administrator's or package maintainer's discretion.
|
||||
# Uncomment these only if you know what you're doing, and doing so may cause
|
||||
# bugs with in-server Restart and potentially other functionality as well.
|
||||
#NoNewPrivileges=true
|
||||
#SystemCallArchitectures=native
|
||||
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||
#RestrictNamespaces=false
|
||||
#RestrictRealtime=true
|
||||
#RestrictSUIDSGID=true
|
||||
#ProtectControlGroups=false
|
||||
#ProtectHostname=true
|
||||
#ProtectKernelLogs=false
|
||||
#ProtectKernelModules=false
|
||||
#ProtectKernelTunables=false
|
||||
#LockPersonality=true
|
||||
#PrivateTmp=false
|
||||
#PrivateDevices=false
|
||||
#PrivateUsers=true
|
||||
#RemoveIPC=true
|
||||
#SystemCallFilter=~@clock
|
||||
#SystemCallFilter=~@aio
|
||||
#SystemCallFilter=~@chown
|
||||
#SystemCallFilter=~@cpu-emulation
|
||||
#SystemCallFilter=~@debug
|
||||
#SystemCallFilter=~@keyring
|
||||
#SystemCallFilter=~@memlock
|
||||
#SystemCallFilter=~@module
|
||||
#SystemCallFilter=~@mount
|
||||
#SystemCallFilter=~@obsolete
|
||||
#SystemCallFilter=~@privileged
|
||||
#SystemCallFilter=~@raw-io
|
||||
#SystemCallFilter=~@reboot
|
||||
#SystemCallFilter=~@setuid
|
||||
#SystemCallFilter=~@swap
|
||||
#SystemCallErrorNumber=EPERM
|
||||
|
|
33
debian/jellyfin.service
vendored
33
debian/jellyfin.service
vendored
|
@ -13,38 +13,5 @@ Restart = on-failure
|
|||
TimeoutSec = 15
|
||||
SuccessExitStatus=0 143
|
||||
|
||||
NoNewPrivileges=true
|
||||
SystemCallArchitectures=native
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||
RestrictNamespaces=false
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
ProtectControlGroups=false
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=false
|
||||
ProtectKernelModules=false
|
||||
ProtectKernelTunables=false
|
||||
LockPersonality=true
|
||||
PrivateTmp=false
|
||||
PrivateDevices=false
|
||||
PrivateUsers=true
|
||||
RemoveIPC=true
|
||||
SystemCallFilter=~@clock
|
||||
SystemCallFilter=~@aio
|
||||
SystemCallFilter=~@chown
|
||||
SystemCallFilter=~@cpu-emulation
|
||||
SystemCallFilter=~@debug
|
||||
SystemCallFilter=~@keyring
|
||||
SystemCallFilter=~@memlock
|
||||
SystemCallFilter=~@module
|
||||
SystemCallFilter=~@mount
|
||||
SystemCallFilter=~@obsolete
|
||||
SystemCallFilter=~@privileged
|
||||
SystemCallFilter=~@raw-io
|
||||
SystemCallFilter=~@reboot
|
||||
SystemCallFilter=~@setuid
|
||||
SystemCallFilter=~@swap
|
||||
SystemCallErrorNumber=EPERM
|
||||
|
||||
[Install]
|
||||
WantedBy = multi-user.target
|
||||
|
|
Loading…
Reference in New Issue
Block a user