diff options
Diffstat (limited to 'caddy.service')
-rw-r--r-- | caddy.service | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/caddy.service b/caddy.service new file mode 100644 index 000000000000..5742eccac0f3 --- /dev/null +++ b/caddy.service @@ -0,0 +1,60 @@ +[Unit] +Description=Caddy webserver +Documentation=https://caddyserver.com/docs/ +After=network-online.target +Wants=network-online.target systemd-networkd-wait-online.service +StartLimitIntervalSec=14400 +StartLimitBurst=10 + +[Service] +User=caddy +Group=caddy + +# environment: store secrets here such as API tokens +EnvironmentFile=-/var/lib/caddy/envfile +# data directory: uses $XDG_DATA_HOME/caddy +# TLS certificates and other assets are stored here +Environment=XDG_DATA_HOME=/var/lib +# config directory: uses $XDG_CONFIG_HOME/caddy +Environment=XDG_CONFIG_HOME=/etc + +# do not print --environ here, as it may contain API tokens!! +ExecStart=/usr/bin/caddy run --config /etc/caddy/Caddyfile +ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile + +# Do not allow the process to be restarted in a tight loop. +Restart=on-abnormal + +# Use graceful shutdown with a reasonable timeout +KillMode=mixed +KillSignal=SIGQUIT +TimeoutStopSec=5s + +# Sufficient resource limits +LimitNOFILE=1048576 +LimitNPROC=512 + +# Grants binding to port 443... +AmbientCapabilities=CAP_NET_BIND_SERVICE +# ...and limits potentially inherited capabilities to this +CapabilityBoundingSet=CAP_NET_BIND_SERVICE + +# Hardening options +LockPersonality=true +NoNewPrivileges=true + +PrivateTmp=true +PrivateDevices=true + +ProtectControlGroups=true +ProtectHome=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectSystem=strict + +ReadWritePaths=/var/lib/caddy +ReadOnlyPaths=/etc/caddy +ReadOnlyPaths=-/var/lib/caddy/envfile + +[Install] +WantedBy=multi-user.target |