# Jellyfin systemd configuration options # Use this file to override the user or environment file location. [Service] # Alter the user that Jellyfin runs as User = jellyfin # Alter where environment variables are sourced from #EnvironmentFile = /etc/default/jellyfin # These *should* prevent Jellyfin from fully consuming my Pi's resources CPUQuota=300% MemoryHigh=60% MemoryMax=75% # Service hardening options # These were added in PR #6953 to solve issue #6952, but some combination of # them causes "restart.sh" functionality to break with the following error: # sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the # 'nosuid' option set or an NFS file system without root privileges? # See issue #7503 for details on the troubleshooting that went into this. # Since these were added for NixOS specifically and are above and beyond # what 99% of systemd units do, they have been moved here as optional # additional flags to set for maximum system security and can be enabled at # the administrator's or package maintainer's discretion. # Uncomment these only if you know what you're doing, and doing so may cause # bugs with in-server Restart and potentially other functionality as well. #NoNewPrivileges=true #SystemCallArchitectures=native #RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK #RestrictNamespaces=false #RestrictRealtime=true #RestrictSUIDSGID=true #ProtectControlGroups=false #ProtectHostname=true #ProtectKernelLogs=false #ProtectKernelModules=false #ProtectKernelTunables=false #LockPersonality=true #PrivateTmp=false #PrivateDevices=false #PrivateUsers=true #RemoveIPC=true #SystemCallFilter=~@clock #SystemCallFilter=~@aio #SystemCallFilter=~@chown #SystemCallFilter=~@cpu-emulation #SystemCallFilter=~@debug #SystemCallFilter=~@keyring #SystemCallFilter=~@memlock #SystemCallFilter=~@module #SystemCallFilter=~@mount #SystemCallFilter=~@obsolete #SystemCallFilter=~@privileged #SystemCallFilter=~@raw-io #SystemCallFilter=~@reboot #SystemCallFilter=~@setuid #SystemCallFilter=~@swap #SystemCallErrorNumber=EPERM