From e65fb189ce41297584281d8b9ba45162afc2144d Mon Sep 17 00:00:00 2001
From: Sumner Evans <me@sumnerevans.com>
Date: Fri, 24 Apr 2020 08:54:00 -0600
Subject: [PATCH] Added back configs that I totally missed because I was tired

---
 contrib/navidrome.service | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/contrib/navidrome.service b/contrib/navidrome.service
index eb24e4bae..2e38b14d6 100644
--- a/contrib/navidrome.service
+++ b/contrib/navidrome.service
@@ -29,5 +29,17 @@ RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
 SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap
-ReadWritePaths=/opt/navidrome/
-PrivateDevices=yes
+ReadWritePaths=/var/lib/navidrome
+
+# You can uncomment the following line if you're not using the jukebox This
+# will prevent navidrome from accessing any real (physical) devices
+#PrivateDevices=yes
+
+# You can change the following line to `strict` instead of `full` if you don't
+# want navidrome to be able to write anything on your filesystem outside of
+# /var/lib/navidrome.
+ProtectSystem=full
+
+# You can comment the following line if you don't have any media in /home/*.
+# This will prevent navidrome from ever reading/writing anything there.
+ProtectHome=true