configpolicy/roles/radarr/templates/radarr.container.j2

{#- vim: set ft=systemd.jinja : #}
[Unit]
Description=Radarr Movie Library Manager
Wants=network.target
After=network.target

[Container]
Image={{ radarr_container_image }}:{{ radarr_version }}
Volume=/var/log/radarr:/var/log/radarr:rw
Volume=/var/lib/radarr:/var/lib/radarr:rw
{% for mount in radarr_path_mounts %}
Mount={{ mount }}
{% endfor %}
GroupAdd=media
ReadOnly=true
ReadOnlyTmpfs=true
Network=host
NoNewPrivileges=yes

[Service]
Restart=always
PrivateTmp=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=full
TemporaryFileSystem=/etc/containers/networks
RestrictRealtime=yes
RestrictSUIDSGID=yes
SuccessExitStatus=0 143
UMask=0022

[Install]
WantedBy=multi-user.target