a6382315a17802b26d566fe6a5fb6639e885c368
[distro-setup] / navidrome.service
1 [Unit]
2 Description=Navidrome
3 After=remote-fs.target network.target
4 AssertPathExists=/i/navidrome
5
6 [Install]
7 WantedBy=multi-user.target
8
9 [Service]
10 User=iank
11 Group=iank
12 Type=simple
13 ExecStart=/i/navidrome/navidrome --configfile "/i/navidrome/navidrome.toml"
14 WorkingDirectory=/i/navidrome
15 TimeoutStopSec=20
16 KillMode=process
17 Restart=on-failure
18
19 # See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
20 DevicePolicy=closed
21 NoNewPrivileges=yes
22 PrivateTmp=yes
23 PrivateUsers=yes
24 ProtectControlGroups=yes
25 ProtectKernelModules=yes
26 ProtectKernelTunables=yes
27 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
28 RestrictNamespaces=yes
29 RestrictRealtime=yes
30 SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
31 ReadWritePaths=/i/navidrome
32
33 # You can uncomment the following line if you're not using the jukebox This
34 # will prevent navidrome from accessing any real (physical) devices
35 #PrivateDevices=yes
36
37 # You can change the following line to `strict` instead of `full` if you don't
38 # want navidrome to be able to write anything on your filesystem outside of
39 # /var/lib/navidrome.
40 ProtectSystem=full
41
42 # You can uncomment the following line if you don't have any media in /home/*.
43 # This will prevent navidrome from ever reading/writing anything there.
44 #ProtectHome=true
45
46 # You can customize some Navidrome config options by setting environment variables here. Ex:
47 #Environment=ND_BASEURL="/navidrome"