Created
September 20, 2025 19:21
-
-
Save radupotop/61d59052ff0a81cc5a32c92b3bfaa1d6 to your computer and use it in GitHub Desktop.
Jellyfin Systemd hardening override files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Service] | |
| # Prevent gaining extra privileges or executing setuid binaries. | |
| NoNewPrivileges=yes | |
| # Separate /tmp and /var/tmp | |
| PrivateTmp=yes | |
| # Make most of the filesystem read-only; whitelist writable paths below. | |
| ProtectSystem=strict | |
| # Disallow access to users homes. | |
| ProtectHome=yes | |
| # Deny access to kernel logs (dmesg) | |
| ProtectKernelLogs=yes | |
| # Harden kernel and cgroup access. | |
| ProtectKernelTunables=yes | |
| ProtectKernelModules=yes | |
| ProtectControlGroups=yes | |
| ProtectHostname=yes | |
| ProtectClock=yes | |
| # Tighten various privilege-related features. | |
| RestrictSUIDSGID=yes | |
| RestrictRealtime=yes | |
| # Limit network families | |
| RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Service] | |
| # Restrict paths | |
| ReadOnlyPaths = /tank | |
| InaccessiblePaths = /tank/backup |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Service] | |
| # Create writable standard dirs for the service-user | |
| # Needs User= to be defined | |
| # RuntimeDirectory=jellyfin | |
| StateDirectory=jellyfin | |
| CacheDirectory=jellyfin | |
| LogsDirectory=jellyfin | |
| ConfigurationDirectory=jellyfin | |
| # Limit network families | |
| RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment