2023-07-12 02:00:06 +02:00
|
|
|
{ config, secrets, ... }: let
|
|
|
|
cfg = config.services.plex;
|
|
|
|
in {
|
2022-03-07 16:01:52 +01:00
|
|
|
services.plex = {
|
|
|
|
enable = true;
|
|
|
|
openFirewall = true;
|
2022-06-22 20:16:57 +02:00
|
|
|
dataDir = "${config.machineVars.dataDrives.default}/var/plex";
|
2022-03-07 16:01:52 +01:00
|
|
|
};
|
|
|
|
|
2023-07-12 02:00:06 +02:00
|
|
|
systemd.services.plex.serviceConfig = {
|
|
|
|
ReadWritePaths = [ cfg.dataDir ];
|
|
|
|
NoNewPrivileges = true;
|
|
|
|
PrivateDevices = true;
|
|
|
|
ProtectClock = true;
|
|
|
|
ProtectKernelLogs = true;
|
|
|
|
ProtectKernelModules = true;
|
|
|
|
PrivateMounts = true;
|
|
|
|
RestrictSUIDSGID = true;
|
|
|
|
ProtectHostname = true;
|
|
|
|
LockPersonality = true;
|
|
|
|
ProtectKernelTunables = true;
|
|
|
|
ProtectSystem = "strict";
|
|
|
|
ProtectProc = true;
|
|
|
|
ProtectHome = true;
|
|
|
|
# PrivateNetwork = true;
|
|
|
|
PrivateUsers = true;
|
|
|
|
PrivateTmp = true;
|
|
|
|
UMask = "0007";
|
|
|
|
# RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
|
|
|
|
SystemCallArchitectures = "native";
|
|
|
|
};
|
|
|
|
|
2022-06-22 20:16:57 +02:00
|
|
|
# networking.firewall.allowedTCPPorts = [ secrets.ports.plex ];
|
2022-03-07 16:01:52 +01:00
|
|
|
}
|