caddy/dist/init/linux-systemd/caddy.service

[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
Restart=on-abnormal

; User and group the process will run as.
User=www-data
Group=www-data

; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/etc/ssl/caddy

; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID

; Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s

; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=512

; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
PrivateDevices=false
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/ssl/caddy

; The following additional security directives only work with systemd v229 or later.
; They further restrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
;AmbientCapabilities=CAP_NET_BIND_SERVICE
;NoNewPrivileges=true

[Install]
WantedBy=multi-user.target
systemd: Run caddy with even less privileges and more confined The exemplary unit file for systemd is intentionally redundant at times, for example dropping privileges which an unprivileged user "www-data" did not have in the first place: To aid as fallback in case the file gets copied and an operator setting UID to 0 (which reportedly happened in the past). 2016-05-11 13:48:47 -05:00			`[Unit]`
			`Description=Caddy HTTP/2 web server`
			`Documentation=https://caddyserver.com/docs`
			`After=network-online.target`
			`Wants=network-online.target systemd-networkd-wait-online.service`

			`[Service]`
Increase restart rate limit The previous setting caused the service to hit a rate-limit when it was restarted more than 5 times in 24h. Editing the Caddyfile and restarting the service could also easily trigger this rate limit. One could argue that users could simply call `systemctl reset-failed caddy` to reset the rate-limit counter, but this is counterintuitive because most users won't know this command and are possibly unaware that they had hit a rate-limit. The service is now allowed to restart 10 times in 10 seconds before hitting a rate limit. This should be conservative enough to rate limit quickly failing services and to allow users to edit and test their caddy configuration. This closes #1718 Remove restart limit settings and use defaults By default 5 restarts within 10 seconds are allowed without encountering a restart limit hit, see `man systemd.unit` for details. Set Restart to on-abnormal The table in https://www.freedesktop.org/software/systemd/man/systemd.service.html#Restart= shows the conditions for which on-abnormal would restart the service. It will not restart the service in the following cases: - a non-zero exit status, e.g. an invalid Caddyfile - a zero exit code (or those specified in SuccessExitStatus=) and a clean signal clean signals are SIGHUP, SIGINT, SIGTERM or SIGPIPE https://github.com/systemd/systemd/blob/3536f49e8fa281539798a7bc5004d73302f39673/src/basic/exit-status.c#L205 The service will be restarted in the following cases: - a unclean signal, e.g. SIGKILL - on start and watchdog timeout (we don't use those systemd service constructs explicitly) 2017-06-16 03:40:21 -05:00			`Restart=on-abnormal`
systemd: Run caddy with even less privileges and more confined The exemplary unit file for systemd is intentionally redundant at times, for example dropping privileges which an unprivileged user "www-data" did not have in the first place: To aid as fallback in case the file gets copied and an operator setting UID to 0 (which reportedly happened in the past). 2016-05-11 13:48:47 -05:00
			`; User and group the process will run as.`
			`User=www-data`
			`Group=www-data`

			`; Letsencrypt-issued certificates will be written to this directory.`
Init switch from HOME to Caddy (#1272) * INIT-systemd use CADDYPATH instatt of HOME * INIT-upstart use CADDYPATH instatt of HOME * INIT-upstart use CADDYPATH instatt of HOME * INIT-upstart use CADDYPATH instatt of HOME 2016-11-23 16:12:19 -05:00			`Environment=CADDYPATH=/etc/ssl/caddy`
systemd: Run caddy with even less privileges and more confined The exemplary unit file for systemd is intentionally redundant at times, for example dropping privileges which an unprivileged user "www-data" did not have in the first place: To aid as fallback in case the file gets copied and an operator setting UID to 0 (which reportedly happened in the past). 2016-05-11 13:48:47 -05:00
			`; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.`
Changing refs from /usr/bin to /usr/local/bin 2016-07-05 12:39:04 -05:00			`ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp`
systemd: Run caddy with even less privileges and more confined The exemplary unit file for systemd is intentionally redundant at times, for example dropping privileges which an unprivileged user "www-data" did not have in the first place: To aid as fallback in case the file gets copied and an operator setting UID to 0 (which reportedly happened in the past). 2016-05-11 13:48:47 -05:00			`ExecReload=/bin/kill -USR1 $MAINPID`

Configure systemd to send SIGQUIT on stop (#1702) 2017-06-24 13:15:13 -05:00			`; Use graceful shutdown with a reasonable timeout`
			`KillMode=mixed`
			`KillSignal=SIGQUIT`
			`TimeoutStopSec=5s`

systemd: Run caddy with even less privileges and more confined The exemplary unit file for systemd is intentionally redundant at times, for example dropping privileges which an unprivileged user "www-data" did not have in the first place: To aid as fallback in case the file gets copied and an operator setting UID to 0 (which reportedly happened in the past). 2016-05-11 13:48:47 -05:00			; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
			`LimitNOFILE=1048576`
			`; Unmodified caddy is not expected to use more than that.`
Set LimitNPROC=512 for systemd 2017-08-14 11:42:05 -05:00			`LimitNPROC=512`
systemd: Run caddy with even less privileges and more confined The exemplary unit file for systemd is intentionally redundant at times, for example dropping privileges which an unprivileged user "www-data" did not have in the first place: To aid as fallback in case the file gets copied and an operator setting UID to 0 (which reportedly happened in the past). 2016-05-11 13:48:47 -05:00
			`; Use private /tmp and /var/tmp, which are discarded after caddy stops.`
			`PrivateTmp=true`
Disable PrivateDevices in systemd as it doesn't work for some devices (#1990) 2018-02-03 13:13:23 -05:00			`; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)`
			`PrivateDevices=false`
systemd: Run caddy with even less privileges and more confined The exemplary unit file for systemd is intentionally redundant at times, for example dropping privileges which an unprivileged user "www-data" did not have in the first place: To aid as fallback in case the file gets copied and an operator setting UID to 0 (which reportedly happened in the past). 2016-05-11 13:48:47 -05:00			`; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.`
			`ProtectHome=true`
			`; Make /usr, /boot, /etc and possibly some more folders read-only.`
			`ProtectSystem=full`
			`; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.`
			`; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!`
			`ReadWriteDirectories=/etc/ssl/caddy`

improvements for Linux systemd integration (#1127) * Remove unnecessary config options from systemd service so it will work with earlier versions of systemd. Simplify the systemd service instructions and make them more complete. * Minor systemd README improvements. * Add back some of the optional systemd 229 stuff but commented out for compat. * A bunch of updates to the README for linux systemd. 2016-09-23 17:50:39 -05:00			`; The following additional security directives only work with systemd v229 or later.`
caddy.service: fix typo, s/retrict/restrict/ (#2008) 2018-01-30 09:19:02 -05:00			`; They further restrict privileges that can be gained by caddy. Uncomment if you like.`
improvements for Linux systemd integration (#1127) * Remove unnecessary config options from systemd service so it will work with earlier versions of systemd. Simplify the systemd service instructions and make them more complete. * Minor systemd README improvements. * Add back some of the optional systemd 229 stuff but commented out for compat. * A bunch of updates to the README for linux systemd. 2016-09-23 17:50:39 -05:00			`; Note that you may have to add capabilities required by any plugins in use.`
			`;CapabilityBoundingSet=CAP_NET_BIND_SERVICE`
			`;AmbientCapabilities=CAP_NET_BIND_SERVICE`
			`;NoNewPrivileges=true`
systemd: Run caddy with even less privileges and more confined The exemplary unit file for systemd is intentionally redundant at times, for example dropping privileges which an unprivileged user "www-data" did not have in the first place: To aid as fallback in case the file gets copied and an operator setting UID to 0 (which reportedly happened in the past). 2016-05-11 13:48:47 -05:00
			`[Install]`
			`WantedBy=multi-user.target`