Systemd Caddy Config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Unit] | |
Description=Caddy HTTP/2 web server | |
Documentation=https://caddyserver.com/docs | |
After=network-online.target | |
Wants=network-online.target systemd-networkd-wait-online.service | |
[Service] | |
Restart=on-abnormal | |
; User and group the process will run as. | |
User=caddy | |
Group=caddy | |
; Letsencrypt-issued certificates will be written to this directory. | |
Environment=CADDYPATH=/etc/ssl/caddy | |
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile. | |
ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp | |
ExecReload=/bin/kill -USR1 $MAINPID | |
; Use graceful shutdown with a reasonable timeout | |
KillMode=mixed | |
KillSignal=SIGQUIT | |
TimeoutStopSec=5s | |
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. | |
LimitNOFILE=1048576 | |
; Unmodified caddy is not expected to use more than that. | |
LimitNPROC=512 | |
; Use private /tmp and /var/tmp, which are discarded after caddy stops. | |
PrivateTmp=true | |
; Use a minimal /dev | |
PrivateDevices=true | |
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. | |
ProtectHome=true | |
; Make /usr, /boot, /etc and possibly some more folders read-only. | |
ProtectSystem=full | |
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there. | |
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! | |
ReadWriteDirectories=/etc/ssl/caddy | |
; The following additional security directives only work with systemd v229 or later. | |
; They further retrict privileges that can be gained by caddy. Uncomment if you like. | |
; Note that you may have to add capabilities required by any plugins in use. | |
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE | |
;AmbientCapabilities=CAP_NET_BIND_SERVICE | |
;NoNewPrivileges=true | |
[Install] | |
WantedBy=multi-user.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# caddy.service | |
# | |
# For using Caddy with a config file. | |
# | |
# Make sure the ExecStart and ExecReload commands are correct | |
# for your installation. | |
# | |
# See https://caddyserver.com/docs/install for instructions. | |
# | |
# WARNING: This service does not use the --resume flag, so if you | |
# use the API to make changes, they will be overwritten by the | |
# Caddyfile next time the service is restarted. If you intend to | |
# use Caddy's API to configure it, add the --resume flag to the | |
# `caddy run` command or use the caddy-api.service file instead. | |
[Unit] | |
Description=Caddy | |
Documentation=https://caddyserver.com/docs/ | |
After=network.target | |
[Service] | |
User=caddy | |
Group=caddy | |
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile | |
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile | |
TimeoutStopSec=5s | |
LimitNOFILE=1048576 | |
LimitNPROC=512 | |
PrivateTmp=true | |
ProtectSystem=full | |
AmbientCapabilities=CAP_NET_BIND_SERVICE | |
[Install] | |
WantedBy=multi-user.target |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
caddy2.service from https://github.com/caddyserver/dist