41 lines
1.1 KiB
Desktop File
41 lines
1.1 KiB
Desktop File
[Unit]
|
|
Description=Traefik
|
|
Documentation=https://docs.traefik.io
|
|
After=network-online.target
|
|
AssertFileIsExecutable=/usr/bin/traefik
|
|
|
|
[Service]
|
|
# Run traefik as its own user (create new user with: useradd -r -s /bin/false -U -M traefik)
|
|
User=traefik
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
|
|
# configure service behavior
|
|
Type=notify
|
|
ExecStart=/usr/bin/traefik
|
|
Restart=always
|
|
WatchdogSec=1s
|
|
|
|
# lock down system access
|
|
# prohibit any operating system and configuration modification
|
|
ProtectSystem=strict
|
|
# create separate, new (and empty) /tmp and /var/tmp filesystems
|
|
PrivateTmp=true
|
|
# make /home directories inaccessible
|
|
ProtectHome=true
|
|
# turns off access to physical devices (/dev/...)
|
|
PrivateDevices=true
|
|
# make kernel settings (procfs and sysfs) read-only
|
|
ProtectKernelTunables=true
|
|
# make cgroups /sys/fs/cgroup read-only
|
|
ProtectControlGroups=true
|
|
|
|
# allow writing of acme.json
|
|
ReadWritePaths=/etc/traefik/acme.json
|
|
# depending on log and entrypoint configuration, you may need to allow writing to other paths, too
|
|
|
|
# limit number of processes in this unit
|
|
#LimitNPROC=1
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|