configpolicy/roles/sonarr/templates/sonarr.container.j2

{#- vim: set ft=systemd.jinja : #}
[Unit]
Description=Sonarr TV Library Manager
Wants=network.target
After=network.target

[Container]
Image={{ sonarr_container_image }}:{{ sonarr_version }}
Volume=/var/log/sonarr:/var/log/sonarr:rw
Volume=/var/lib/sonarr:/var/lib/sonarr:rw
{% for mount in sonarr_path_mounts %}
Mount={{ mount }}
{% endfor %}
GroupAdd=media
ReadOnly=true
ReadOnlyTmpfs=true
Network=host
NoNewPrivileges=yes

[Service]
Restart=always
PrivateTmp=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=full
TemporaryFileSystem=/etc/containers/networks
RestrictRealtime=yes
RestrictSUIDSGID=yes
SuccessExitStatus=0 143
UMask=0022

[Install]
WantedBy=multi-user.target