[Unit]
Description=Caddy Web Server
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=http
Group=http
ExecStart=/usr/bin/caddy run --config /etc/caddy/Caddyfile --resume --environ
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
ExecStop=/usr/bin/caddy stop
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512

# Hardening options
PrivateTmp=true
ProtectSystem=strict
PrivateDevices=true
ProtectHome=true
ReadWritePaths=/var/lib/caddy /var/log/caddy /srv/http
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true

[Install]
WantedBy=multi-user.target