protect local admin socket, harden service file

next/caddy-api.service

@@ -27,26 +27,36 @@ ExecStart=/usr/bin/caddy run --environ --resume
 Restart=on-abnormal
 
 # Use graceful shutdown with a reasonable timeout
-KillMode=mixed
-KillSignal=SIGQUIT
 TimeoutStopSec=5s
 
 LimitNOFILE=1048576
 LimitNPROC=512
 
 # Hardening options
-PrivateTmp=true
-PrivateDevices=true
-ProtectHome=true
-ProtectSystem=strict
-ReadWritePaths=/var/lib/caddy /var/log/caddy
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
-NoNewPrivileges=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectControlGroups=true
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+DevicePolicy=closed
 LockPersonality=true
+MemoryAccounting=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RemoveIPC=true
+ReadWritePaths=/var/lib/caddy /var/log/caddy /run/caddy
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
 
 [Install]
 WantedBy=multi-user.target