summarylogtreecommitdiffstats
path: root/readarr.service
diff options
context:
space:
mode:
authortxtsd2024-11-09 23:01:53 +0530
committertxtsd2024-11-09 23:01:53 +0530
commit372b89cbbdf98408d56a1e34782ad4a0106a30c7 (patch)
tree0ed90057c7c849d5cac2516af22a44316d4f73c0 /readarr.service
parent074173210833a343d45f1be4d9b23eadf3452072 (diff)
downloadaur-372b89cbbdf98408d56a1e34782ad4a0106a30c7.tar.gz
upgpkg: readarr-develop-bin 0.4.3.2665-2
Harden systemd service Signed-off-by: txtsd <code@ihavea.quest>
Diffstat (limited to 'readarr.service')
-rw-r--r--readarr.service60
1 files changed, 52 insertions, 8 deletions
diff --git a/readarr.service b/readarr.service
index 0f43b3c01298..a6b6cfa3db62 100644
--- a/readarr.service
+++ b/readarr.service
@@ -1,10 +1,20 @@
-# Be sure to use `systemctl edit readarr` to modify this service with an override.conf because
-# direct changes will be overwritten by package updates.
+# Be sure to use `systemctl edit readarr` to modify this service with an
+# override.conf because direct changes will be overwritten by package updates.
#
-# A user per service w/ shared group setup would have an override like:
+# A user per service with shared group setup would have an override like:
# [Service]
# Group=sharedgroupname
# UMask=002
+#
+# If your media directory is in /home (it shouldn't be)
+# You will need to have an override like:
+# [Service]
+# PrivateUsers=false
+# ProtectHome=false
+#
+# When running readarr in LXC:
+# [Service]
+# PrivateUsers=false
[Unit]
Description=Readarr Daemon
@@ -14,14 +24,48 @@ After=network-online.target
[Service]
Type=simple
User=readarr
-Group=readarr
-SyslogIdentifier=readarr
+Group=media
+UMask=002
Environment=XDG_DATA_HOME=/var/lib/readarr
-WorkingDirectory=/usr/lib/readarr
ExecStart=/usr/lib/readarr/bin/Readarr -nobrowser -data=/var/lib/readarr
-Restart=on-failure
-RestartSec=5
KillMode=process
+PIDFile=/run/readarr/readarr.pid
+Restart=on-failure
+RestartSec=10
+TimeoutStopSec=20
+SyslogIdentifier=readarr
+ConfigurationDirectory=readarr
+LogsDirectory=readarr
+RuntimeDirectory=readarr
+StateDirectory=readarr
+WorkingDirectory=/var/lib/readarr
+
+# Hardening
+CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETGID
+LockPersonality=true
+NoNewPrivileges=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=read-only
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=full
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+SocketBindAllow=ipv4:tcp
+SocketBindAllow=ipv6:tcp
+SocketBindDeny=any
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
[Install]
WantedBy=multi-user.target