blob: 69049149673279466e1737ebe43ee013dd0023ec (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
# Be sure to use `systemctl edit prowlarr` to modify this service with an
# override.conf because direct changes will be overwritten by package updates.
#
# A user per service with shared group setup would have an override like:
# [Service]
# Group=sharedgroupname
# UMask=002
#
# If your media directory is in /home (it shouldn't be)
# You will need to have an override like:
# [Service]
# PrivateUsers=false
# ProtectHome=false
#
# When running prowlarr in LXC:
# [Service]
# PrivateUsers=false
[Unit]
Description=Prowlarr Daemon
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
User=prowlarr
Group=media
UMask=002
Environment=XDG_DATA_HOME=/var/lib/prowlarr
ExecStart=/usr/lib/prowlarr/bin/Prowlarr -nobrowser -data=/var/lib/prowlarr
KillMode=process
PIDFile=/run/prowlarr/prowlarr.pid
Restart=on-failure
RestartSec=10
TimeoutStopSec=20
SyslogIdentifier=prowlarr
ConfigurationDirectory=prowlarr
LogsDirectory=prowlarr
RuntimeDirectory=prowlarr
StateDirectory=prowlarr
WorkingDirectory=/var/lib/prowlarr
# Hardening
LockPersonality=true
NoNewPrivileges=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=read-only
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=full
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=true
SocketBindAllow=ipv4:tcp
SocketBindAllow=ipv6:tcp
SocketBindDeny=any
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
[Install]
WantedBy=multi-user.target
|