diff options
author | txtsd | 2024-11-09 23:01:53 +0530 |
---|---|---|
committer | txtsd | 2024-11-09 23:01:53 +0530 |
commit | 372b89cbbdf98408d56a1e34782ad4a0106a30c7 (patch) | |
tree | 0ed90057c7c849d5cac2516af22a44316d4f73c0 /readarr.service | |
parent | 074173210833a343d45f1be4d9b23eadf3452072 (diff) | |
download | aur-372b89cbbdf98408d56a1e34782ad4a0106a30c7.tar.gz |
upgpkg: readarr-develop-bin 0.4.3.2665-2
Harden systemd service
Signed-off-by: txtsd <code@ihavea.quest>
Diffstat (limited to 'readarr.service')
-rw-r--r-- | readarr.service | 60 |
1 files changed, 52 insertions, 8 deletions
diff --git a/readarr.service b/readarr.service index 0f43b3c01298..a6b6cfa3db62 100644 --- a/readarr.service +++ b/readarr.service @@ -1,10 +1,20 @@ -# Be sure to use `systemctl edit readarr` to modify this service with an override.conf because -# direct changes will be overwritten by package updates. +# Be sure to use `systemctl edit readarr` to modify this service with an +# override.conf because direct changes will be overwritten by package updates. # -# A user per service w/ shared group setup would have an override like: +# A user per service with shared group setup would have an override like: # [Service] # Group=sharedgroupname # UMask=002 +# +# If your media directory is in /home (it shouldn't be) +# You will need to have an override like: +# [Service] +# PrivateUsers=false +# ProtectHome=false +# +# When running readarr in LXC: +# [Service] +# PrivateUsers=false [Unit] Description=Readarr Daemon @@ -14,14 +24,48 @@ After=network-online.target [Service] Type=simple User=readarr -Group=readarr -SyslogIdentifier=readarr +Group=media +UMask=002 Environment=XDG_DATA_HOME=/var/lib/readarr -WorkingDirectory=/usr/lib/readarr ExecStart=/usr/lib/readarr/bin/Readarr -nobrowser -data=/var/lib/readarr -Restart=on-failure -RestartSec=5 KillMode=process +PIDFile=/run/readarr/readarr.pid +Restart=on-failure +RestartSec=10 +TimeoutStopSec=20 +SyslogIdentifier=readarr +ConfigurationDirectory=readarr +LogsDirectory=readarr +RuntimeDirectory=readarr +StateDirectory=readarr +WorkingDirectory=/var/lib/readarr + +# Hardening +CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETGID +LockPersonality=true +NoNewPrivileges=true +PrivateTmp=true +PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=read-only +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProtectSystem=full +RemoveIPC=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=true +RestrictRealtime=true +SocketBindAllow=ipv4:tcp +SocketBindAllow=ipv6:tcp +SocketBindDeny=any +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service +SystemCallFilter=~@privileged [Install] WantedBy=multi-user.target |