configpolicy/roles/prowlarr/templates/prowlarr.container.j2

{#- vim: set ft=systemd.jinja : #}
[Unit]
Description=Prowlarr Indexer Manager
Wants=network.target
After=network.target

[Container]
Image={{ prowlarr_container_image }}:{{ prowlarr_version }}
Volume=/var/log/prowlarr:/var/log/prowlarr:rw
Volume=/var/lib/prowlarr:/var/lib/prowlarr:rw
ReadOnly=true
ReadOnlyTmpfs=true
Network=host
NoNewPrivileges=yes

[Service]
Restart=always
PrivateTmp=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=full
TemporaryFileSystem=/etc/containers/networks
RestrictRealtime=yes
RestrictSUIDSGID=yes
SuccessExitStatus=0 143
UMask=0077

[Install]
WantedBy=multi-user.target