fujin/nixarr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sandboxed jellyseerr

Browse Source
This commit is contained in:
rasmus-kirk
2025-03-18 20:06:17 +01:00
parent d73527a0ea
commit 32b4c3797b
2 changed files with 17 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+1
View File
@@ -4,6 +4,7 @@
Added: Added:
- Plex service - Plex service
- Expose and sandboxing to Jellyseerr module
Updated: Updated:
- If `nixarr.enable` is not enabled other services will automatically now - If `nixarr.enable` is not enabled other services will automatically now
nixarr/jellyseerr/jellyseerr-module/default.nix
+16 -17
View File
@@ -1,4 +1,3 @@
# TODO: Add expose options for this module
{ {
config, config,
pkgs, pkgs,
@@ -68,22 +67,22 @@ in {
Group = cfg.group; Group = cfg.group;
ExecStart = lib.getExe cfg.package; ExecStart = lib.getExe cfg.package;
Restart = "on-failure"; Restart = "on-failure";
# TODO: These are from nixpkgs, add them back if we add expose options ProtectHome = true;
# ProtectHome = true; PrivateTmp = true;
# ProtectSystem = "strict"; PrivateDevices = true;
# PrivateTmp = true; ProtectHostname = true;
# PrivateDevices = true; ProtectClock = true;
# ProtectHostname = true; ProtectKernelTunables = true;
# ProtectClock = true; ProtectKernelModules = true;
# ProtectKernelTunables = true; ProtectKernelLogs = true;
# ProtectKernelModules = true; ProtectControlGroups = true;
# ProtectKernelLogs = true; NoNewPrivileges = true;
# ProtectControlGroups = true; RestrictRealtime = true;
# NoNewPrivileges = true; RestrictSUIDSGID = true;
# RestrictRealtime = true; RemoveIPC = true;
# RestrictSUIDSGID = true; PrivateMounts = true;
# RemoveIPC = true; ProtectSystem = "strict";
# PrivateMounts = true; ReadWritePaths = [ cfg.configDir ];
}; };
}; };