next: reduce diff to v1, add go hardening
This commit is contained in:
Levente Polyak
@ -18,6 +18,8 @@ StartLimitBurst=10
|
||||
[Service]
|
||||
User=caddy
|
||||
Group=caddy
|
||||
Environment=XDG_DATA_HOME=/var/lib
|
||||
Environment=XDG_CONFIG_HOME=/var/lib
|
||||
ExecStart=/usr/bin/caddy run --environ --resume
|
||||
|
||||
# Do not allow the process to be restarted in a tight loop. If the
|
||||
@ -32,19 +34,19 @@ TimeoutStopSec=5s
|
||||
LimitNOFILE=1048576
|
||||
LimitNPROC=512
|
||||
|
||||
|
||||
# Hardening options
|
||||
PrivateTmp=true
|
||||
ProtectSystem=strict
|
||||
ProtectKernelModules=true
|
||||
NoNewPrivileges=true
|
||||
LockPersonality=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectHome=true
|
||||
ReadWritePaths=/var/lib/caddy /var/log/caddy
|
||||
PrivateDevices=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths=/var/lib/caddy /var/log/caddy
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
NoNewPrivileges=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
LockPersonality=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
Reference in New Issue
Block a user