JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

caddy service: sync with upstream systemd unit

Browse Source 
Increases security and fixes minor issues.
This commit is contained in:
Franz Pletz 2017-06-11 22:02:06 +02:00
parent ec27fcdd6c
commit 071815cb24
No known key found for this signature in database
GPG Key ID: 846FDED7792617B4
1 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
nixos/modules/services/web-servers/caddy.nix
View File

@ -50,17 +50,30 @@ in
config = mkIf cfg.enable {
systemd.services.caddy = {
description = "Caddy web server";
after = [ "network.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''${cfg.package.bin}/bin/caddy -conf=${configFile} \
-ca=${cfg.ca} -email=${cfg.email} ${optionalString cfg.agree "-agree"}
ExecStart = ''
${cfg.package.bin}/bin/caddy -root=/var/tmp -conf=${configFile} \
-ca=${cfg.ca} -email=${cfg.email} ${optionalString cfg.agree "-agree"}
'';
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Type = "simple";
User = "caddy";
Group = "caddy";
Restart = "on-failure";
StartLimitInterval = 86400;
StartLimitBurst = 5;
AmbientCapabilities = "cap_net_bind_service";
LimitNOFILE = 8192;
CapabilityBoundingSet = "cap_net_bind_service";
NoNewPrivileges = true;
LimitNPROC = 64;
LimitNOFILE = 1048576;
PrivateTmp = true;
PrivateDevices = true;
ProtectHome = true;
ProtectSystem = "full";
ReadWriteDirectories = cfg.dataDir;
};
};