caddy/trunk/caddy-api.service

   1 # caddy-api.service
   2 #
   3 # For using Caddy with its API.
   4 #
   5 # This unit is "durable" in that it will automatically resume
   6 # the last active configuration if the service is restarted.
   7 #
   8 # See https://caddyserver.com/docs/install for instructions.
   9
  10 [Unit]
  11 Description=Caddy API Server
  12 Documentation=https://caddyserver.com/docs/
  13 After=network-online.target
  14 Wants=network-online.target systemd-networkd-wait-online.service
  15 StartLimitIntervalSec=14400
  16 StartLimitBurst=10
  17
  18 [Service]
  19 Type=notify
  20 User=caddy
  21 Group=caddy
  22 Environment=XDG_DATA_HOME=/var/lib
  23 Environment=XDG_CONFIG_HOME=/var/lib
  24 ExecStart=/usr/bin/caddy run --environ --resume
  25
  26 # Do not allow the process to be restarted in a tight loop. If the
  27 # process fails to start, something critical needs to be fixed.
  28 Restart=on-abnormal
  29
  30 # Use graceful shutdown with a reasonable timeout
  31 TimeoutStopSec=5s
  32
  33 LimitNOFILE=1048576
  34 LimitNPROC=512
  35
  36 # Hardening options
  37 AmbientCapabilities=CAP_NET_BIND_SERVICE
  38 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
  39 DevicePolicy=closed
  40 LockPersonality=true
  41 MemoryAccounting=true
  42 MemoryDenyWriteExecute=true
  43 NoNewPrivileges=true
  44 PrivateDevices=true
  45 PrivateTmp=true
  46 ProcSubset=pid
  47 ProtectClock=true
  48 ProtectControlGroups=true
  49 ProtectHome=true
  50 ProtectHostname=true
  51 ProtectKernelLogs=true
  52 ProtectKernelModules=true
  53 ProtectKernelTunables=true
  54 ProtectProc=invisible
  55 ProtectSystem=strict
  56 RemoveIPC=true
  57 ReadWritePaths=/var/lib/caddy /var/log/caddy /run/caddy
  58 RestrictNamespaces=true
  59 RestrictRealtime=true
  60 RestrictSUIDSGID=true
  61
  62 [Install]
  63 WantedBy=multi-user.target