diff options
Diffstat (limited to 'caddy.service')
-rw-r--r-- | caddy.service | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/caddy.service b/caddy.service new file mode 100644 index 000000000000..96259b46503d --- /dev/null +++ b/caddy.service @@ -0,0 +1,71 @@ +# caddy.service +# +# For using Caddy with a config file. +# +# Make sure the ExecStart and ExecReload commands are correct +# for your installation. +# +# See https://caddyserver.com/docs/install for instructions. +# +# WARNING: This service does not use the --resume flag, so if you +# use the API to make changes, they will be overwritten by the +# Caddyfile next time the service is restarted. If you intend to +# use Caddy's API to configure it, add the --resume flag to the +# `caddy run` command or use the caddy-api.service file instead. + +[Unit] +Description=Caddy web server +Documentation=https://caddyserver.com/docs/ +After=network-online.target +Wants=network-online.target systemd-networkd-wait-online.service +StartLimitIntervalSec=14400 +StartLimitBurst=10 + +[Service] +User=caddy +Group=caddy +Environment=XDG_DATA_HOME=/var/lib +Environment=XDG_CONFIG_HOME=/etc +ExecStartPre=/usr/bin/caddy validate --config /etc/caddy/Caddyfile +ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile +ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile +ExecStopPost=/usr/bin/rm -f /run/caddy/admin.socket + +# Do not allow the process to be restarted in a tight loop. If the +# process fails to start, something critical needs to be fixed. +Restart=on-abnormal + +# Use graceful shutdown with a reasonable timeout +TimeoutStopSec=5s + +LimitNOFILE=1048576 +LimitNPROC=512 + +# Hardening options +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +DevicePolicy=closed +LockPersonality=true +MemoryAccounting=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProtectSystem=strict +RemoveIPC=true +ReadWritePaths=/var/lib/caddy /var/log/caddy /run/caddy +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true + +[Install] +WantedBy=multi-user.target |