Fix #65593
add traefik service add traefik sysusers file noextract tarball, because we need a clean build environment. Otherwise the go tests will fail, due to service and sysusers files in the repo.
This commit is contained in:
Christian Rebischke
41
traefik.service
Normal file
41
traefik.service
Normal file
@ -0,0 +1,41 @@
|
||||
[Unit]
|
||||
Description=Traefik
|
||||
Documentation=https://docs.traefik.io
|
||||
After=network-online.target
|
||||
AssertFileIsExecutable=/usr/bin/traefik
|
||||
AssertPathExists=/etc/traefik/traefik.toml
|
||||
|
||||
[Service]
|
||||
# Run traefik as its own user (create new user with: useradd -r -s /bin/false -U -M traefik)
|
||||
User=traefik
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
|
||||
# configure service behavior
|
||||
Type=notify
|
||||
ExecStart=/usr/bin/traefik --configFile=/etc/traefik/traefik.toml
|
||||
Restart=always
|
||||
WatchdogSec=1s
|
||||
|
||||
# lock down system access
|
||||
# prohibit any operating system and configuration modification
|
||||
ProtectSystem=strict
|
||||
# create separate, new (and empty) /tmp and /var/tmp filesystems
|
||||
PrivateTmp=true
|
||||
# make /home directories inaccessible
|
||||
ProtectHome=true
|
||||
# turns off access to physical devices (/dev/...)
|
||||
PrivateDevices=true
|
||||
# make kernel settings (procfs and sysfs) read-only
|
||||
ProtectKernelTunables=true
|
||||
# make cgroups /sys/fs/cgroup read-only
|
||||
ProtectControlGroups=true
|
||||
|
||||
# allow writing of acme.json
|
||||
ReadWritePaths=/etc/traefik/acme.json
|
||||
# depending on log and entrypoint configuration, you may need to allow writing to other paths, too
|
||||
|
||||
# limit number of processes in this unit
|
||||
#LimitNPROC=1
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user