1
0
Fork 0
selfhostblocks/caddy/unit.nix
2023-02-19 20:37:52 -08:00

81 lines
1.6 KiB
Nix

{ stdenv
, pkgs
, utils
}:
{ user ? "http"
, group ? "http"
, configDir ? "/etc/caddy"
, configFile ? "Caddyfile"
}:
{...}:
utils.systemd.mkService rec {
name = "caddy";
content = ''
[Unit]
Description=Caddy webserver
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Wants=network-online.target systemd-networkd-wait-online.target
StartLimitInterval=14400
StartLimitBurst=10
[Service]
Type=notify
User=${user}
Group=${group}
# Environment=XDG_DATA_HOME=/var/lib
# Environment=XDG_CONFIG_HOME=${configDir}
ExecStart=${pkgs.caddy}/bin/caddy run --environ --config ${configDir}/${configFile}
ExecReload=${pkgs.caddy}/bin/caddy reload --config ${configDir}/${configFile}
# Restart=on-abnormal
# # RuntimeDirectory=caddy
# KillMode=mixed
# KillSignal=SIGQUIT
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
# PrivateDevices=true
PrivateTmp=true
# ProtectKernelTunables=true
# ProtectKernelModules=true
# ProtectControlGroups=true
# ProtectKernelLogs=true
# ProtectHome=true
# ProtectHostname=true
# ProtectClock=true
# RestrictSUIDSGID=true
# LockPersonality=true
# NoNewPrivileges=true
# CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
# ProtectSystem=strict
ProtectSystem=full
# ReadWritePaths=/var/lib/caddy /var/log/caddy
[Install]
WantedBy=multi-user.target
'';
}
# Put this in /etc/caddy/Caddyfile
# {
# # debug
#
# # Disable auto https
# http_port 10001
# https_port 10002
# }
#
# import conf.d/*