Secure groups for Kodi.

Don't grant the groups globally, instead grant specific services
specific groups as needed.

roles/kodi/files/kodi.service

@@ -15,6 +15,8 @@ Before=graphical.target
 [Service]
 User=kodi
 PAMName=login
+SupplementaryGroups=audio
+SupplementaryGroups=cdrom
 Environment="DISPLAY=:0"
 ExecStart=flatpak run --device=all --filesystem=/etc/group --filesystem=/srv/library tv.kodi.Kodi --standalone --windowing=x11 -fs
 Type=simple

roles/kodi/files/xorg.service

@@ -14,7 +14,9 @@ ConditionPathExists=/dev/tty7
 
 [Service]
 User=kodi
+SupplementaryGroups=input
 SupplementaryGroups=tty
+SupplementaryGroups=video
 PAMName=login
 ExecStart=startx
 Type=simple

roles/kodi/tasks/main.yml

@@ -74,12 +74,6 @@
 - name: Create user
   user:
     create_home: true
-    groups:
-      - audio
-      - cdrom
-      - input
-      - plugdev
-      - video
     home: /var/lib/kodi
     name: kodi
     password: '!'  # pragma: allowlist secret