Created
May 24, 2018 19:50
-
-
Save menangen/b68bd69640b6fbe652595e1fc1a38b81 to your computer and use it in GitHub Desktop.
Systemd init scripts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Unit] | |
Description=Caddy HTTP/2 web server | |
Documentation=https://caddyserver.com/docs | |
After=network-online.target | |
Wants=network-online.target systemd-networkd-wait-online.service | |
[Service] | |
Restart=on-abnormal | |
; User and group the process will run as. | |
User=www-data | |
Group=www-data | |
; Letsencrypt-issued certificates will be written to this directory. | |
Environment=CADDYPATH=/etc/ssl/caddy | |
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile. | |
ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/www | |
ExecReload=/bin/kill -USR1 $MAINPID | |
; Use graceful shutdown with a reasonable timeout | |
KillMode=mixed | |
KillSignal=SIGQUIT | |
TimeoutStopSec=5s | |
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. | |
LimitNOFILE=1048576 | |
; Unmodified caddy is not expected to use more than that. | |
LimitNPROC=512 | |
; Use private /tmp and /var/tmp, which are discarded after caddy stops. | |
PrivateTmp=true | |
; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) | |
PrivateDevices=false | |
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. | |
ProtectHome=true | |
; Make /usr, /boot, /etc and possibly some more folders read-only. | |
ProtectSystem=full | |
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there. | |
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! | |
# ReadWriteDirectories=/etc/ssl/caddy | |
; The following additional security directives only work with systemd v229 or later. | |
; They further restrict privileges that can be gained by caddy. Uncomment if you like. | |
; Note that you may have to add capabilities required by any plugins in use. | |
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE | |
;AmbientCapabilities=CAP_NET_BIND_SERVICE | |
;NoNewPrivileges=true | |
[Install] | |
WantedBy=multi-user.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Unit] | |
Description=Cross-platform(Linux/MacOS/Windows/Android/iOS) proxy software | |
Documentation=https://github.com/txthinking/brook | |
After=network-online.target | |
Wants=network-online.target systemd-networkd-wait-online.service | |
[Service] | |
Restart=on-abnormal | |
; User and group the process will run as. | |
User=www-data | |
Group=www-data | |
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile. | |
ExecStart=/usr/local/bin/brook socks5 -l :5000 -i 0.0.0.0 | |
ExecStop=/bin/kill $MAINPID | |
; Use graceful shutdown with a reasonable timeout | |
KillMode=mixed | |
KillSignal=SIGQUIT | |
TimeoutStopSec=1s | |
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. | |
LimitNOFILE=1048576 | |
; Unmodified caddy is not expected to use more than that. | |
LimitNPROC=512 | |
; Use private /tmp and /var/tmp, which are discarded after caddy stops. | |
PrivateTmp=true | |
; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) | |
PrivateDevices=false | |
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. | |
ProtectHome=true | |
; Make /usr, /boot, /etc and possibly some more folders read-only. | |
ProtectSystem=full | |
; The following additional security directives only work with systemd v229 or later. | |
; They further restrict privileges that can be gained by caddy. Uncomment if you like. | |
; Note that you may have to add capabilities required by any plugins in use. | |
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE | |
;AmbientCapabilities=CAP_NET_BIND_SERVICE | |
;NoNewPrivileges=true | |
[Install] | |
WantedBy=multi-user.target |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment