From 32b4c3797b942325e6fbaf78ac197ef3e76b2435 Mon Sep 17 00:00:00 2001 From: rasmus-kirk Date: Tue, 18 Mar 2025 20:06:17 +0100 Subject: [PATCH] Sandboxed jellyseerr --- CHANGELOG.md | 1 + .../jellyseerr/jellyseerr-module/default.nix | 33 +++++++++---------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1723d3c..2625aa3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ Added: - Plex service +- Expose and sandboxing to Jellyseerr module Updated: - If `nixarr.enable` is not enabled other services will automatically now diff --git a/nixarr/jellyseerr/jellyseerr-module/default.nix b/nixarr/jellyseerr/jellyseerr-module/default.nix index 8b4d4a4..103131a 100644 --- a/nixarr/jellyseerr/jellyseerr-module/default.nix +++ b/nixarr/jellyseerr/jellyseerr-module/default.nix @@ -1,4 +1,3 @@ -# TODO: Add expose options for this module { config, pkgs, @@ -68,22 +67,22 @@ in { Group = cfg.group; ExecStart = lib.getExe cfg.package; Restart = "on-failure"; - # TODO: These are from nixpkgs, add them back if we add expose options - # ProtectHome = true; - # ProtectSystem = "strict"; - # PrivateTmp = true; - # PrivateDevices = true; - # ProtectHostname = true; - # ProtectClock = true; - # ProtectKernelTunables = true; - # ProtectKernelModules = true; - # ProtectKernelLogs = true; - # ProtectControlGroups = true; - # NoNewPrivileges = true; - # RestrictRealtime = true; - # RestrictSUIDSGID = true; - # RemoveIPC = true; - # PrivateMounts = true; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + NoNewPrivileges = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + ProtectSystem = "strict"; + ReadWritePaths = [ cfg.configDir ]; }; };