From c14bb4e8cd22069de9dbfc826c32c3a196ccde54 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Fri, 21 Apr 2017 12:28:55 -0600 Subject: [PATCH] updated to work back to v229 and fixed conventions --- etc/systemd/system/caddy.service | 55 ++++++++++++++++---------------- 1 file changed, 28 insertions(+), 27 deletions(-) diff --git a/etc/systemd/system/caddy.service b/etc/systemd/system/caddy.service index c24d436..a79dd81 100644 --- a/etc/systemd/system/caddy.service +++ b/etc/systemd/system/caddy.service @@ -5,58 +5,59 @@ After=network-online.target Wants=network-online.target systemd-networkd-wait-online.service [Service] -; Restart on crash (bad signal), but not on 'clean' failure (error exit code) +# Restart on crash (bad signal), but not on 'clean' failure (error exit code) +# Allow up to 3 restarts within 10 seconds +# (it's unlikely that a user or properly-running script will do this) Restart=on-abnormal -; Allow up to 3 restarts within 10 seconds -; (it's unlikely that a user or properly-running script will do this) StartLimitInterval=10 StartLimitBurst=3 -; User and group the process will run as -; (www-data is the de facto standard on most systems) +# User and group the process will run as +# (www-data is the de facto standard on most systems) User=www-data Group=www-data -; Letsencrypt-issued certificates will be written to this directory. +# Letsencrypt-issued certificates will be written to this directory. Environment=CADDYPATH=/etc/ssl/caddy -; Always set "-root" to something safe in case it gets forgotten in the Caddyfile. +# Always set "-root" to something safe in case it gets forgotten in the Caddyfile. WorkingDirectory=/etc/ssl/caddy ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp ExecReload=/bin/kill -USR1 $MAINPID -; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. +# Limit the number of file descriptors and processes; see `man systemd.exec` for more limit settings. +# Unmodified caddy is not expected to use more than this. LimitNOFILE=1048576 -; Unmodified caddy is not expected to use more than that. LimitNPROC=64 -; Use private /tmp and /var/tmp, which are discarded after caddy stops. +# Use private /tmp and /var/tmp, which are discarded after caddy stops. PrivateTmp=true -; Use a minimal /dev +# Use a minimal /dev PrivateDevices=true -; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. +# Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. ProtectHome=true -; Make /usr, /boot, /etc and possibly some more folders read-only. +# Make /usr, /boot, /etc and possibly some more folders read-only. ProtectSystem=full -; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there -; and /var/log/caddy, because we want a place where logs can go. -; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! -ReadWritePaths=/etc/ssl/caddy /var/log/caddy +# … except /etc/ssl/caddy, because we want Letsencrypt-certificates there +# and /var/log/caddy, because we want a place where logs can go. +# This merely retains r/w access rights, it does not add any new. Must still be writable on the host! +ReadWriteDirectories=/etc/ssl/caddy /var/log/caddy -; The following additional security directives only work with systemd v229 or later. -; They further retrict privileges that can be gained by caddy. Uncomment if you like. -; Note that you may have to add capabilities required by any plugins in use. +# Note: in v231 and above ReadWritePaths has been renamed to ReadWriteDirectories +; ReadWritePaths=/etc/ssl/caddy /var/log/caddy + +# The following additional security directives only work with systemd v229 or later. +# They further retrict privileges that can be gained by caddy. +# Note that you may have to add capabilities required by any plugins in use. CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE NoNewPrivileges=true -; Caveat: Some plugins need additional capabilities. Add them to both lines above. -; - plugin "upload" needs: CAP_LEASE +# Caveat: Some plugins need additional capabilities. +# For example "upload" needs CAP_LEASE +; CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_LEASE +; AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_LEASE +; NoNewPrivileges=true [Install] WantedBy=multi-user.target - -; Learn more: -; -; * systemd: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -; * why caddy's systemd file is what it is https://github.com/mholt/caddy/pull/1566/files