Sandboxed jellyseerr

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 Added:
 - Plex service
+- Expose and sandboxing to Jellyseerr module
 
 Updated:
 - If `nixarr.enable` is not enabled other services will automatically now

nixarr/jellyseerr/jellyseerr-module/default.nix

@@ -1,4 +1,3 @@
-# TODO: Add expose options for this module
 {
   config,
   pkgs,
@@ -68,22 +67,22 @@ in {
         Group = cfg.group;
         ExecStart = lib.getExe cfg.package;
         Restart = "on-failure";
-        # TODO: These are from nixpkgs, add them back if we add expose options
-        # ProtectHome = true;
-        # ProtectSystem = "strict";
-        # PrivateTmp = true;
-        # PrivateDevices = true;
-        # ProtectHostname = true;
-        # ProtectClock = true;
-        # ProtectKernelTunables = true;
-        # ProtectKernelModules = true;
-        # ProtectKernelLogs = true;
-        # ProtectControlGroups = true;
-        # NoNewPrivileges = true;
-        # RestrictRealtime = true;
-        # RestrictSUIDSGID = true;
-        # RemoveIPC = true;
-        # PrivateMounts = true;
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        NoNewPrivileges = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+        PrivateMounts = true;
+        ProtectSystem = "strict";
+        ReadWritePaths = [ cfg.configDir ];
       };
     };