diff options
author | Thomas Fanninger | 2016-09-29 16:59:58 +0200 |
---|---|---|
committer | Thomas Fanninger | 2016-09-29 16:59:58 +0200 |
commit | fa20e49e976fed5c5fe409c2f4981fdd513ad2c2 (patch) | |
tree | 5485260e87b710db875157fbc48f9681ad56ddfb /caddy_old.service | |
parent | 552fedb541582cfc8523a686208db6cd58a0eed8 (diff) | |
download | aur-fa20e49e976fed5c5fe409c2f4981fdd513ad2c2.tar.gz |
Add migration from user www-data to http
Diffstat (limited to 'caddy_old.service')
-rw-r--r-- | caddy_old.service | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/caddy_old.service b/caddy_old.service new file mode 100644 index 000000000000..536cb3a192f5 --- /dev/null +++ b/caddy_old.service @@ -0,0 +1,46 @@ +[Unit] +Description=Caddy HTTP/2 web server +Documentation=https://caddyserver.com/docs +After=network-online.target +Wants=network-online.target systemd-networkd-wait-online.service + +[Service] +Restart=on-failure + +; User and group the process will run as. +User=www-data +Group=www-data + +; Letsencrypt-issued certificates will be written to this directory. +Environment=HOME=/etc/ssl/caddy + +; Always set "-root" to something safe in case it gets forgotten in the Caddyfile. +ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp +ExecReload=/bin/kill -USR1 $MAINPID + +; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. +LimitNOFILE=1048576 +; Unmodified caddy is not expected to use more than that. +LimitNPROC=64 + +; Use private /tmp and /var/tmp, which are discarded after caddy stops. +PrivateTmp=true +; Use a minimal /dev +PrivateDevices=true +; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. +ProtectHome=true +; Make /usr, /boot, /etc and possibly some more folders read-only. +ProtectSystem=full +; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there. +; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! +ReadWriteDirectories=/etc/ssl/caddy + +; The following additional security directives only work with systemd v229 or later. +; They further retrict privileges that can be gained by caddy. Uncomment if you like. +; Note that you may have to add capabilities required by any plugins in use. +;CapabilityBoundingSet=CAP_NET_BIND_SERVICE +;AmbientCapabilities=CAP_NET_BIND_SERVICE +;NoNewPrivileges=true + +[Install] +WantedBy=multi-user.target |