caddy/caddy.service

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy web server
Documentation=https://caddyserver.com/docs/
After=network-online.target
Wants=network-online.target
StartLimitIntervalSec=14400
StartLimitBurst=10

[Service]
Type=notify
User=caddy
Group=caddy
Environment=XDG_DATA_HOME=/var/lib
Environment=XDG_CONFIG_HOME=/etc
ExecStartPre=/usr/bin/caddy validate --config /etc/caddy/Caddyfile
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
ExecStopPost=/usr/bin/rm -f /run/caddy/admin.socket

# Do not allow the process to be restarted in a tight loop. If the
# process fails to start, something critical needs to be fixed.
Restart=on-abnormal

# Use graceful shutdown with a reasonable timeout
TimeoutStopSec=5s

LimitNOFILE=1048576
LimitNPROC=512

# Hardening options
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DevicePolicy=closed
LockPersonality=true
MemoryAccounting=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
ReadWritePaths=/var/lib/caddy /var/log/caddy /run/caddy
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true

[Install]
WantedBy=multi-user.target
move next version to current root dir 2021-02-13 04:19:40 +00:00			`# caddy.service`
			`#`
			`# For using Caddy with a config file.`
			`#`
			`# Make sure the ExecStart and ExecReload commands are correct`
			`# for your installation.`
			`#`
			`# See https://caddyserver.com/docs/install for instructions.`
			`#`
			`# WARNING: This service does not use the --resume flag, so if you`
			`# use the API to make changes, they will be overwritten by the`
			`# Caddyfile next time the service is restarted. If you intend to`
			`# use Caddy's API to configure it, add the --resume flag to the`
			# `caddy run` command or use the caddy-api.service file instead.

addpkg: 1.0.4-2 2019-12-24 12:58:14 +00:00			`[Unit]`
move next version to current root dir 2021-02-13 04:19:40 +00:00			`Description=Caddy web server`
			`Documentation=https://caddyserver.com/docs/`
addpkg: 1.0.4-2 2019-12-24 12:58:14 +00:00			`After=network-online.target`
Don't depend on systemd-network-wait-online.service Depending on network-online.target is good enough. The user may or may not use systemd-networkd to manage network interfaces. Fixing https://gitlab.archlinux.org/archlinux/packaging/packages/caddy/-/issues/1 2023-12-14 19:03:53 +08:00			`Wants=network-online.target`
addpkg: 1.0.4-2 2019-12-24 12:58:14 +00:00			`StartLimitIntervalSec=14400`
			`StartLimitBurst=10`

			`[Service]`
upgpkg: 2.6.2-1 2022-10-26 22:47:16 +00:00			`Type=notify`
move next version to current root dir 2021-02-13 04:19:40 +00:00			`User=caddy`
			`Group=caddy`
			`Environment=XDG_DATA_HOME=/var/lib`
			`Environment=XDG_CONFIG_HOME=/etc`
			`ExecStartPre=/usr/bin/caddy validate --config /etc/caddy/Caddyfile`
			`ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile`
upgpkg: 2.6.2-1 2022-10-26 22:47:16 +00:00			`ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force`
systemd: ensure unix socket is removed on ungraceful shutdown Caddy chokes if it dies or systemd timeout kills the process ungracefully as it can't deal with a left over unix file socket. Ensure the unit always deletes the socket as a post exit cleanup strategy. 2021-02-13 16:14:45 +00:00			`ExecStopPost=/usr/bin/rm -f /run/caddy/admin.socket`
addpkg: 1.0.4-2 2019-12-24 12:58:14 +00:00
			`# Do not allow the process to be restarted in a tight loop. If the`
			`# process fails to start, something critical needs to be fixed.`
			`Restart=on-abnormal`

			`# Use graceful shutdown with a reasonable timeout`
			`TimeoutStopSec=5s`

			`LimitNOFILE=1048576`
			`LimitNPROC=512`

			`# Hardening options`
			`AmbientCapabilities=CAP_NET_BIND_SERVICE`
move next version to current root dir 2021-02-13 04:19:40 +00:00			`CapabilityBoundingSet=CAP_NET_BIND_SERVICE`
			`DevicePolicy=closed`
			`LockPersonality=true`
			`MemoryAccounting=true`
			`MemoryDenyWriteExecute=true`
addpkg: 1.0.4-2 2019-12-24 12:58:14 +00:00			`NoNewPrivileges=true`
move next version to current root dir 2021-02-13 04:19:40 +00:00			`PrivateDevices=true`
			`PrivateTmp=true`
			`ProcSubset=pid`
			`ProtectClock=true`
addpkg: 1.0.4-2 2019-12-24 12:58:14 +00:00			`ProtectControlGroups=true`
move next version to current root dir 2021-02-13 04:19:40 +00:00			`ProtectHome=true`
			`ProtectHostname=true`
			`ProtectKernelLogs=true`
			`ProtectKernelModules=true`
			`ProtectKernelTunables=true`
			`ProtectProc=invisible`
			`ProtectSystem=strict`
			`RemoveIPC=true`
			`ReadWritePaths=/var/lib/caddy /var/log/caddy /run/caddy`
			`RestrictNamespaces=true`
			`RestrictRealtime=true`
			`RestrictSUIDSGID=true`
addpkg: 1.0.4-2 2019-12-24 12:58:14 +00:00
			`[Install]`
			`WantedBy=multi-user.target`