paul-chambers/traefik.service

## traefik.service
#
# assumes you have a user called 'traefik', with the home directory '/var/lib/traefik',
# containing the 'traefik' executable and a 'trafik.toml' configuration file.
## adduser --system --shell /sbin/nologin --home /var/lib/traefik traefik
#

[Unit]
Description=Traefik
Documentation=https://docs.traefik.io
After=network-online.target
#AssertFileIsExecutable=/var/lib/traefik
#AssertPathExists=/var/lib/traefik.toml

[Service]
User=traefik
Group=nogroup
Umask=077
AmbientCapabilities=CAP_NET_BIND_SERVICE

# configure service behavior
Type=notify
WorkingDirectory=/var/lib/traefik
ExecStart=/var/lib/traefik/traefik --configFile=/var/lib/traefik.toml
Restart=always
WatchdogSec=1s

# lock down system access
# prohibit any operating system and configuration modification
#ProtectSystem=strict
# create separate, new (and empty) /tmp and /var/tmp filesystems
#PrivateTmp=true
# make /home directories inaccessible
#ProtectHome=true
# turns off access to physical devices (/dev/...)
#PrivateDevices=true
# make kernel settings (procfs and sysfs) read-only
#ProtectKernelTunables=true
# make cgroups /sys/fs/cgroup read-only
#ProtectControlGroups=true

# allow writing of acme.json
#ReadWritePaths=/etc/traefik/acme.json
# depending on log and entrypoint configuration, you may need to allow writing to other paths, too

# limit number of processes in this unit
#LimitNPROC=1

[Install]
WantedBy=multi-user.target
	#
	# assumes you have a user called 'traefik', with the home directory '/var/lib/traefik',
	# containing the 'traefik' executable and a 'trafik.toml' configuration file.
	## adduser --system --shell /sbin/nologin --home /var/lib/traefik traefik
	#

	[Unit]
	Description=Traefik
	Documentation=https://docs.traefik.io
	After=network-online.target
	#AssertFileIsExecutable=/var/lib/traefik
	#AssertPathExists=/var/lib/traefik.toml

	[Service]
	User=traefik
	Group=nogroup
	Umask=077
	AmbientCapabilities=CAP_NET_BIND_SERVICE

	# configure service behavior
	Type=notify
	WorkingDirectory=/var/lib/traefik
	ExecStart=/var/lib/traefik/traefik --configFile=/var/lib/traefik.toml
	Restart=always
	WatchdogSec=1s

	# lock down system access
	# prohibit any operating system and configuration modification
	#ProtectSystem=strict
	# create separate, new (and empty) /tmp and /var/tmp filesystems
	#PrivateTmp=true
	# make /home directories inaccessible
	#ProtectHome=true
	# turns off access to physical devices (/dev/...)
	#PrivateDevices=true
	# make kernel settings (procfs and sysfs) read-only
	#ProtectKernelTunables=true
	# make cgroups /sys/fs/cgroup read-only
	#ProtectControlGroups=true

	# allow writing of acme.json
	#ReadWritePaths=/etc/traefik/acme.json
	# depending on log and entrypoint configuration, you may need to allow writing to other paths, too

	# limit number of processes in this unit
	#LimitNPROC=1

	[Install]
	WantedBy=multi-user.target