blob: 1ae57e34ef89a12eb4328bb75ceb1c30f7c0c8ca (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
# Hardening for 201 modules
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=true
# Security
PrivateTmp=true
ProtectSystem=full
ProtectHome=true
# Ensure caddy can write its certs/data
ReadWritePaths=/var/lib/caddy /etc/caddy
|