Joakim
7788410bfc
- Add comprehensive Caddy role with HTTPS/TLS, DNS challenges, and systemd security - Implement optimized systemd overrides with enhanced security restrictions - Create detailed documentation with usage examples and variable references - Establish proper Ansible configuration with vault integration - Update site.yml for infrastructure orchestration with role-based deployment - Add host-specific configuration structure for scalable multi-environment setup
38 lines
1.0 KiB
Django/Jinja
38 lines
1.0 KiB
Django/Jinja
[Service]
|
|
# Reload configuration with --force flag for reliability
|
|
ExecReload=
|
|
ExecReload=/usr/bin/caddy reload --config {{ caddy_config_file }} --force
|
|
|
|
{% if caddy_systemd_security | default(true) %}
|
|
# Enhanced security hardening beyond base service
|
|
NoNewPrivileges=true
|
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
|
|
RemoveIPC=true
|
|
|
|
# Filesystem restrictions (upgrade from ProtectSystem=full)
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
ReadWritePaths={{ caddy_data_dir }} {{ caddy_log_dir }}
|
|
BindReadOnlyPaths={{ caddy_config_dir }}
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelLogs=true
|
|
ProtectClock=true
|
|
|
|
# Network and namespace restrictions
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
|
|
# Process restrictions
|
|
LimitNPROC=1048576
|
|
MemoryDenyWriteExecute=true
|
|
SystemCallFilter=@system-service
|
|
SystemCallErrorNumber=EPERM
|
|
|
|
# Logging (explicit configuration)
|
|
StandardOutput=journal
|
|
StandardError=journal
|
|
SyslogIdentifier=caddy
|
|
{% endif %} |