diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2017-06-11 22:02:06 +0200 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2017-06-13 21:21:59 +0200 |
commit | 071815cb244e2f884552936d245944e4369e81a0 (patch) | |
tree | d0b7e985f8fa92ee91fe4d0694debca219365e06 /nixos | |
parent | ec27fcdd6cf78c6b923ce4658be63af8f50f2ab6 (diff) | |
download | nixpkgs-071815cb244e2f884552936d245944e4369e81a0.tar nixpkgs-071815cb244e2f884552936d245944e4369e81a0.tar.gz nixpkgs-071815cb244e2f884552936d245944e4369e81a0.tar.bz2 nixpkgs-071815cb244e2f884552936d245944e4369e81a0.tar.lz nixpkgs-071815cb244e2f884552936d245944e4369e81a0.tar.xz nixpkgs-071815cb244e2f884552936d245944e4369e81a0.tar.zst nixpkgs-071815cb244e2f884552936d245944e4369e81a0.zip |
caddy service: sync with upstream systemd unit
Increases security and fixes minor issues.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/web-servers/caddy.nix | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/nixos/modules/services/web-servers/caddy.nix b/nixos/modules/services/web-servers/caddy.nix index eec285f6bc4..9ac1a08bb58 100644 --- a/nixos/modules/services/web-servers/caddy.nix +++ b/nixos/modules/services/web-servers/caddy.nix @@ -50,17 +50,30 @@ in config = mkIf cfg.enable { systemd.services.caddy = { description = "Caddy web server"; - after = [ "network.target" ]; + after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = ''${cfg.package.bin}/bin/caddy -conf=${configFile} \ - -ca=${cfg.ca} -email=${cfg.email} ${optionalString cfg.agree "-agree"} + ExecStart = '' + ${cfg.package.bin}/bin/caddy -root=/var/tmp -conf=${configFile} \ + -ca=${cfg.ca} -email=${cfg.email} ${optionalString cfg.agree "-agree"} ''; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; Type = "simple"; User = "caddy"; Group = "caddy"; + Restart = "on-failure"; + StartLimitInterval = 86400; + StartLimitBurst = 5; AmbientCapabilities = "cap_net_bind_service"; - LimitNOFILE = 8192; + CapabilityBoundingSet = "cap_net_bind_service"; + NoNewPrivileges = true; + LimitNPROC = 64; + LimitNOFILE = 1048576; + PrivateTmp = true; + PrivateDevices = true; + ProtectHome = true; + ProtectSystem = "full"; + ReadWriteDirectories = cfg.dataDir; }; }; |