caddy/repos/community-x86_64/caddy.service

   1 # caddy.service
   2 #
   3 # For using Caddy with a config file.
   4 #
   5 # Make sure the ExecStart and ExecReload commands are correct
   6 # for your installation.
   7 #
   8 # See https://caddyserver.com/docs/install for instructions.
   9 #
  10 # WARNING: This service does not use the --resume flag, so if you
  11 # use the API to make changes, they will be overwritten by the
  12 # Caddyfile next time the service is restarted. If you intend to
  13 # use Caddy's API to configure it, add the --resume flag to the
  14 # `caddy run` command or use the caddy-api.service file instead.
  15
  16 [Unit]
  17 Description=Caddy web server
  18 Documentation=https://caddyserver.com/docs/
  19 After=network-online.target
  20 Wants=network-online.target systemd-networkd-wait-online.service
  21 StartLimitIntervalSec=14400
  22 StartLimitBurst=10
  23
  24 [Service]
  25 Type=notify
  26 User=caddy
  27 Group=caddy
  28 Environment=XDG_DATA_HOME=/var/lib
  29 Environment=XDG_CONFIG_HOME=/etc
  30 ExecStartPre=/usr/bin/caddy validate --config /etc/caddy/Caddyfile
  31 ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
  32 ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
  33 ExecStopPost=/usr/bin/rm -f /run/caddy/admin.socket
  34
  35 # Do not allow the process to be restarted in a tight loop. If the
  36 # process fails to start, something critical needs to be fixed.
  37 Restart=on-abnormal
  38
  39 # Use graceful shutdown with a reasonable timeout
  40 TimeoutStopSec=5s
  41
  42 LimitNOFILE=1048576
  43 LimitNPROC=512
  44
  45 # Hardening options
  46 AmbientCapabilities=CAP_NET_BIND_SERVICE
  47 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
  48 DevicePolicy=closed
  49 LockPersonality=true
  50 MemoryAccounting=true
  51 MemoryDenyWriteExecute=true
  52 NoNewPrivileges=true
  53 PrivateDevices=true
  54 PrivateTmp=true
  55 ProcSubset=pid
  56 ProtectClock=true
  57 ProtectControlGroups=true
  58 ProtectHome=true
  59 ProtectHostname=true
  60 ProtectKernelLogs=true
  61 ProtectKernelModules=true
  62 ProtectKernelTunables=true
  63 ProtectProc=invisible
  64 ProtectSystem=strict
  65 RemoveIPC=true
  66 ReadWritePaths=/var/lib/caddy /var/log/caddy /run/caddy
  67 RestrictNamespaces=true
  68 RestrictRealtime=true
  69 RestrictSUIDSGID=true
  70
  71 [Install]
  72 WantedBy=multi-user.target