traefik/contrib/systemd/traefik.service

[Unit]
Description=Traefik
Documentation=https://doc.traefik.io/traefik/
#After=network-online.target
#AssertFileIsExecutable=/usr/bin/traefik
#AssertPathExists=/etc/traefik/traefik.toml

[Service]
# Run traefik as its own user (create new user with: useradd -r -s /bin/false -U -M traefik)
#User=traefik
#AmbientCapabilities=CAP_NET_BIND_SERVICE

# configure service behavior
Type=notify
#ExecStart=/usr/bin/traefik --configFile=/etc/traefik/traefik.toml
Restart=always
WatchdogSec=1s

# lock down system access
# prohibit any operating system and configuration modification
#ProtectSystem=strict
# create separate, new (and empty) /tmp and /var/tmp filesystems
#PrivateTmp=true
# make /home directories inaccessible
#ProtectHome=true
# turns off access to physical devices (/dev/...)
#PrivateDevices=true
# make kernel settings (procfs and sysfs) read-only
#ProtectKernelTunables=true
# make cgroups /sys/fs/cgroup read-only
#ProtectControlGroups=true

# allow writing of acme.json
#ReadWritePaths=/etc/traefik/acme.json
# depending on log and entrypoint configuration, you may need to allow writing to other paths, too

# limit number of processes in this unit
#LimitNPROC=1

[Install]
WantedBy=multi-user.target
Add minimal systemd service file 2016-01-21 12:40:12 +00:00			`[Unit]`
			`Description=Traefik`
chore: apply new documentation style. Co-authored-by: jbdoumenjou <jb.doumenjou@gmail.com> 2020-09-23 08:20:04 +00:00			`Documentation=https://doc.traefik.io/traefik/`
Harden Traefik systemd service 2019-01-07 18:02:03 +00:00			`#After=network-online.target`
			`#AssertFileIsExecutable=/usr/bin/traefik`
			`#AssertPathExists=/etc/traefik/traefik.toml`
Add minimal systemd service file 2016-01-21 12:40:12 +00:00
			`[Service]`
Harden Traefik systemd service 2019-01-07 18:02:03 +00:00			`# Run traefik as its own user (create new user with: useradd -r -s /bin/false -U -M traefik)`
			`#User=traefik`
			`#AmbientCapabilities=CAP_NET_BIND_SERVICE`

			`# configure service behavior`
Use sdnotify for systemd (#768) * Use sdnotify for systemd This is useful if a configuration is long to load. Systemd will continue dependency chain only when server have finish to start. https://www.freedesktop.org/software/systemd/man/systemd.service.html#Type= * Extract the waiting behavior from Start() 2016-10-25 15:59:39 +00:00			`Type=notify`
Harden Traefik systemd service 2019-01-07 18:02:03 +00:00			`#ExecStart=/usr/bin/traefik --configFile=/etc/traefik/traefik.toml`
Add systemd watchdog feature 2016-11-08 11:25:56 +00:00			`Restart=always`
			`WatchdogSec=1s`
Make systemd unit installable Having a install section makes it possible to enable/disable traefik using the standard systemd commands `systemctl enable traefik` `systemctl disable traefk` 2016-08-12 10:52:35 +00:00
Harden Traefik systemd service 2019-01-07 18:02:03 +00:00			`# lock down system access`
			`# prohibit any operating system and configuration modification`
			`#ProtectSystem=strict`
			`# create separate, new (and empty) /tmp and /var/tmp filesystems`
			`#PrivateTmp=true`
			`# make /home directories inaccessible`
			`#ProtectHome=true`
			`# turns off access to physical devices (/dev/...)`
			`#PrivateDevices=true`
			`# make kernel settings (procfs and sysfs) read-only`
			`#ProtectKernelTunables=true`
			`# make cgroups /sys/fs/cgroup read-only`
			`#ProtectControlGroups=true`

			`# allow writing of acme.json`
			`#ReadWritePaths=/etc/traefik/acme.json`
			`# depending on log and entrypoint configuration, you may need to allow writing to other paths, too`

			`# limit number of processes in this unit`
			`#LimitNPROC=1`

Make systemd unit installable Having a install section makes it possible to enable/disable traefik using the standard systemd commands `systemctl enable traefik` `systemctl disable traefk` 2016-08-12 10:52:35 +00:00			`[Install]`
			`WantedBy=multi-user.target`