From aa0fbef9abc5f5c80cc961099301c87704816fb6 Mon Sep 17 00:00:00 2001
From: Wilfried OLLIVIER <wollivier@fdn.fr>
Date: Fri, 20 Mar 2020 14:32:45 +0100
Subject: [PATCH] Update service file with some security features

---
 templates/caddy.service.j2 | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/templates/caddy.service.j2 b/templates/caddy.service.j2
index 0fab5c4..68d3770 100755
--- a/templates/caddy.service.j2
+++ b/templates/caddy.service.j2
@@ -4,14 +4,22 @@ Documentation=https://caddyserver.com/docs
 After=network.target
 
 [Service]
+# Service config and instructions
 WorkingDirectory={{ caddy_home }}
 User=caddy
 LimitNOFILE=8192
-PIDFile={{ caddy_home }}/caddy.pid
-ExecStart=/usr/bin/caddy -agree=true -email={{ caddy_email }} -conf=/etc/caddy/Caddyfile -pidfile={{ caddy_home }}/caddy.pid
+ExecStart=/usr/bin/caddy -agree=true -email={{ caddy_email }} -conf=/etc/caddy/Caddyfile
 ExecReload=/bin/kill -USR1 $MAINPID
 Restart=on-failure
 StartLimitInterval=600
+TimeoutStopSec=5s
+KillSignal=SIGQUIT
+# Service security
+ProtectHome=true
+ProtectSystem=full
+PrivateTmp=true
+ReadWritePaths={{ caddy_home }}
+ReadWriteDirectories={{ caddy_home }}
 
 [Install]
 WantedBy=multi-user.target