Hardening jellyfin service

hosts/iron/services/jellyfin.nix

@@ -1,8 +1,51 @@
-{ pkgs, ... }:
+{ lib, pkgs, ... }:
 {
   services.jellyfin = {
     enable = true;
   };
+  systemd.services.jellyfin = {
+    serviceConfig = {
+      ###MemoryDenyWriteExecute = true;
+      BindPaths = [
+        "/var/cache/jellyfin"
+        "/var/lib/jellyfin"
+      ];
+      BindReadOnlyPaths = [
+        "/nix/store"
+        "/filebitch/pub/Filme"
+        "/filebitch/pub/Serien"
+        "/var/lib/qbittorrent/downloads"
+      ];
+      CapabilityBoundingSet = "";
+      #IPAddressAllow = "localhost";
+      #IPAddressDeny = "any";
+      LockPersonality = true;
+      PrivateDevices = lib.mkForce true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "noaccess";
+      ProtectSystem = "strict";
+      ReadWritePaths = "";
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RootDirectory = "/run/jellyfin";
+      RuntimeDirectory = "jellyfin";
+      StateDirectory = "jellyfin";
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      WorkingDirectory = "/var/lib/jellyfin";
+    };
+  };
   services.nginx.virtualHosts."jellyfin.jalr.de" = {
     enableACME = true;
     forceSSL = true;