# caddy-api.service # # For using Caddy with its API. # # This unit is "durable" in that it will automatically resume # the last active configuration if the service is restarted. # # See https://caddyserver.com/docs/install for instructions. [Unit] Description=Caddy API Server Documentation=https://caddyserver.com/docs/ After=network-online.target Wants=network-online.target systemd-networkd-wait-online.service StartLimitIntervalSec=14400 StartLimitBurst=10 [Service] Type=notify User=caddy Group=caddy Environment=XDG_DATA_HOME=/var/lib Environment=XDG_CONFIG_HOME=/var/lib ExecStart=/usr/bin/caddy run --environ --resume # Do not allow the process to be restarted in a tight loop. If the # process fails to start, something critical needs to be fixed. Restart=on-abnormal # Use graceful shutdown with a reasonable timeout TimeoutStopSec=5s LimitNOFILE=1048576 LimitNPROC=512 # Hardening options AmbientCapabilities=CAP_NET_BIND_SERVICE CapabilityBoundingSet=CAP_NET_BIND_SERVICE DevicePolicy=closed LockPersonality=true MemoryAccounting=true MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true PrivateTmp=true ProcSubset=pid ProtectClock=true ProtectControlGroups=true ProtectHome=true ProtectHostname=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true ProtectProc=invisible ProtectSystem=strict RemoveIPC=true ReadWritePaths=/var/lib/caddy /var/log/caddy /run/caddy RestrictNamespaces=true RestrictRealtime=true RestrictSUIDSGID=true [Install] WantedBy=multi-user.target