diff options
Diffstat (limited to 'navidrome.service')
-rw-r--r-- | navidrome.service | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/navidrome.service b/navidrome.service new file mode 100644 index 000000000000..e5f172c663bc --- /dev/null +++ b/navidrome.service @@ -0,0 +1,48 @@ +[Unit] +Description=Navidrome Music server +After=network.target +Documentation=https://www.navidrome.org/docs/ +Documentation=https://github.com/navidrome/navidrome/blob/master/contrib/navidrome.service + +[Service] +User=navidrome +Group=navidrome + +ExecStart=/usr/bin/navidrome --configfile /etc/navidrome/navidrome.toml + +StateDirectory=navidrome +WorkingDirectory=/var/lib/navidrome + +# Create this as the user who adds Music files +ReadOnlyPaths=/var/lib/Music + +EnvironmentFile=-/etc/navidrome/envfile + +CapabilityBoundingSet= +AmbientCapabilities= +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +ProtectProc=invisible +RemoveIPC=true +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap @resources + +[Install] +WantedBy=multi-user.target |