From c29a69a60d9c1134d43897b2cdd093f59dcaed5b Mon Sep 17 00:00:00 2001
From: Jack <jackdev@mailbox.org>
Date: Mon, 7 Jan 2019 19:02:03 +0100
Subject: [PATCH] Harden Traefik systemd service

---
 contrib/systemd/traefik.service | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/contrib/systemd/traefik.service b/contrib/systemd/traefik.service
index 37ba9102a..5b1d04975 100644
--- a/contrib/systemd/traefik.service
+++ b/contrib/systemd/traefik.service
@@ -1,11 +1,41 @@
 [Unit]
 Description=Traefik
+Documentation=https://docs.traefik.io
+#After=network-online.target
+#AssertFileIsExecutable=/usr/bin/traefik
+#AssertPathExists=/etc/traefik/traefik.toml
 
 [Service]
+# Run traefik as its own user (create new user with: useradd -r -s /bin/false -U -M traefik)
+#User=traefik
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+# configure service behavior
 Type=notify
-ExecStart=/usr/bin/traefik --configFile=/etc/traefik.toml
+#ExecStart=/usr/bin/traefik --configFile=/etc/traefik/traefik.toml
 Restart=always
 WatchdogSec=1s
 
+# lock down system access
+# prohibit any operating system and configuration modification
+#ProtectSystem=strict
+# create separate, new (and empty) /tmp and /var/tmp filesystems
+#PrivateTmp=true
+# make /home directories inaccessible
+#ProtectHome=true
+# turns off access to physical devices (/dev/...)
+#PrivateDevices=true
+# make kernel settings (procfs and sysfs) read-only
+#ProtectKernelTunables=true
+# make cgroups /sys/fs/cgroup read-only
+#ProtectControlGroups=true
+
+# allow writing of acme.json
+#ReadWritePaths=/etc/traefik/acme.json
+# depending on log and entrypoint configuration, you may need to allow writing to other paths, too
+
+# limit number of processes in this unit
+#LimitNPROC=1
+
 [Install]
 WantedBy=multi-user.target