1 files changed, 33 insertions, 14 deletions

diff --git a/caddy-systemd-service.patch b/caddy-systemd-service.patch
index 3f85f13f9988..8ed422217346 100644
--- a/caddy-systemd-service.patch
+++ b/caddy-systemd-service.patch
@@ -1,14 +1,33 @@
-11,12c11,12
-< User=www-data
-< Group=www-data
----
-> User=http
-> Group=http
-41,43c41,43
-< ;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-< ;AmbientCapabilities=CAP_NET_BIND_SERVICE
-< ;NoNewPrivileges=true
----
-> CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-> AmbientCapabilities=CAP_NET_BIND_SERVICE
-> NoNewPrivileges=true
+--- caddy_old.service	2016-09-29 18:04:15.356244279 +0200
++++ caddy_new.service	2016-09-29 18:04:15.356244279 +0200
+@@ -8,14 +8,14 @@
+ Restart=on-failure
+ 
+ ; User and group the process will run as.
+-User=www-data
+-Group=www-data
++User=http
++Group=http
+ 
+ ; Letsencrypt-issued certificates will be written to this directory.
+ Environment=HOME=/etc/ssl/caddy
+ 
+ ; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
+-ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
++ExecStart=/usr/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
+ ExecReload=/bin/kill -USR1 $MAINPID
+ 
+ ; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
+@@ -38,9 +38,9 @@
+ ; The following additional security directives only work with systemd v229 or later.
+ ; They further retrict privileges that can be gained by caddy. Uncomment if you like.
+ ; Note that you may have to add capabilities required by any plugins in use.
+-;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+-;AmbientCapabilities=CAP_NET_BIND_SERVICE
+-;NoNewPrivileges=true
++CapabilityBoundingSet=CAP_NET_BIND_SERVICE
++AmbientCapabilities=CAP_NET_BIND_SERVICE
++NoNewPrivileges=true
+ 
+ [Install]
+ WantedBy=multi-user.target