Harden Traefik systemd service

contrib/systemd/traefik.service

@@ -1,11 +1,41 @@
 [Unit]
 Description=Traefik
+Documentation=https://docs.traefik.io
+#After=network-online.target
+#AssertFileIsExecutable=/usr/bin/traefik
+#AssertPathExists=/etc/traefik/traefik.toml
 
 [Service]
+# Run traefik as its own user (create new user with: useradd -r -s /bin/false -U -M traefik)
+#User=traefik
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+# configure service behavior
 Type=notify
-ExecStart=/usr/bin/traefik --configFile=/etc/traefik.toml
+#ExecStart=/usr/bin/traefik --configFile=/etc/traefik/traefik.toml
 Restart=always
 WatchdogSec=1s
 
+# lock down system access
+# prohibit any operating system and configuration modification
+#ProtectSystem=strict
+# create separate, new (and empty) /tmp and /var/tmp filesystems
+#PrivateTmp=true
+# make /home directories inaccessible
+#ProtectHome=true
+# turns off access to physical devices (/dev/...)
+#PrivateDevices=true
+# make kernel settings (procfs and sysfs) read-only
+#ProtectKernelTunables=true
+# make cgroups /sys/fs/cgroup read-only
+#ProtectControlGroups=true
+
+# allow writing of acme.json
+#ReadWritePaths=/etc/traefik/acme.json
+# depending on log and entrypoint configuration, you may need to allow writing to other paths, too
+
+# limit number of processes in this unit
+#LimitNPROC=1
+
 [Install]
 WantedBy=multi-user.target