From e17cc4aad77f8b95b04e1b27f9fed2d3ef67f18a Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Thu, 6 Jun 2019 18:46:37 +0530 Subject: [PATCH] Add default caddy service Signed-off-by: Harsh Shandilya --- caddy.service | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 caddy.service diff --git a/caddy.service b/caddy.service new file mode 100644 index 0000000..639f407 --- /dev/null +++ b/caddy.service @@ -0,0 +1,51 @@ +[Unit] +Description=Caddy HTTP/2 web server +Documentation=https://caddyserver.com/docs +After=network-online.target +Wants=network-online.target systemd-networkd-wait-online.service + +[Service] +Restart=on-abnormal + +; User and group the process will run as. +User=caddy +Group=caddy + +; Letsencrypt-issued certificates will be written to this directory. +Environment=CADDYPATH=/etc/ssl/caddy + +; Always set "-root" to something safe in case it gets forgotten in the Caddyfile. +ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp +ExecReload=/bin/kill -USR1 $MAINPID + +; Use graceful shutdown with a reasonable timeout +KillMode=mixed +KillSignal=SIGQUIT +TimeoutStopSec=5s + +; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. +LimitNOFILE=1048576 +; Unmodified caddy is not expected to use more than that. +LimitNPROC=512 + +; Use private /tmp and /var/tmp, which are discarded after caddy stops. +PrivateTmp=true +; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) +PrivateDevices=false +; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. +ProtectHome=true +; Make /usr, /boot, /etc and possibly some more folders read-only. +ProtectSystem=full +; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there. +; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! +ReadWriteDirectories=/etc/ssl/caddy + +; The following additional security directives only work with systemd v229 or later. +; They further restrict privileges that can be gained by caddy. Uncomment if you like. +; Note that you may have to add capabilities required by any plugins in use. +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE +NoNewPrivileges=true + +[Install] +WantedBy=multi-user.target