From 1dbb443640f31cb161529af00ac16f0ec2dde57a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Wed, 4 Oct 2023 22:13:50 +0200 Subject: [PATCH] cleaning --- conf/systemd.service | 38 ++------------------------------------ doc/DESCRIPTION.md | 2 +- 2 files changed, 3 insertions(+), 37 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index c2c4fad..62415b3 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -1,5 +1,5 @@ [Unit] -Description=Radarr Daemon +Description=Readarr Daemon After=network.target [Service] @@ -7,44 +7,10 @@ Type=simple User=__APP__ Group=__APP__ WorkingDirectory=__INSTALL_DIR__/ -ExecStart=__INSTALL_DIR__/Readarr -nobrowser -data=__DATA_DIR__ +ExecStart=__INSTALL_DIR__/Readarr -nobrowser -data=__DATA_DIR__/ TimeoutStopSec=20 KillMode=process Restart=on-failure -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed -ProtectClock=yes -ProtectHostname=yes -ProtectProc=invisible -ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes -SystemCallArchitectures=native -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged - -# Denying access to capabilities that should not be relevant for webapps -# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html -CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD -CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT -CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK -CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG - [Install] WantedBy=multi-user.target diff --git a/doc/DESCRIPTION.md b/doc/DESCRIPTION.md index c4dc93b..c567488 100644 --- a/doc/DESCRIPTION.md +++ b/doc/DESCRIPTION.md @@ -1 +1 @@ -Readarr is an ebook and audiobook collection manager for Usenet and BitTorrent users. It can monitor multiple RSS feeds for new books from your favorite authors and will grab, sort, and rename them. Note that only one type of a given book is supported. If you want both an audiobook and ebook of a given book you will need multiple instances. \ No newline at end of file +Readarr is an eBook and audiobook collection manager for Usenet and BitTorrent users. It can monitor multiple RSS feeds for new books and will interface with clients and indexers to grab, sort, and rename them. It can also be configured to automatically upgrade the quality of existing files in the library when a better quality format becomes available. It does not manage comics or magazines. \ No newline at end of file