diff options
author | Trygve Laugstøl <trygvis@inamo.no> | 2025-06-30 19:07:11 +0200 |
---|---|---|
committer | Trygve Laugstøl <trygvis@inamo.no> | 2025-06-30 19:07:11 +0200 |
commit | 12e9c7cc704c6ac782c246080f58d6f2556caaf7 (patch) | |
tree | fb52e9cb76fc7212425792842058ccb2238f4960 /ansible/roles/traefik-server/templates | |
parent | 027054b178a5fab136d391e535b720dcb2cb799c (diff) | |
download | infra-master.tar.gz infra-master.tar.bz2 infra-master.tar.xz infra-master.zip |
Diffstat (limited to 'ansible/roles/traefik-server/templates')
-rw-r--r-- | ansible/roles/traefik-server/templates/traefik.service.j2 | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/ansible/roles/traefik-server/templates/traefik.service.j2 b/ansible/roles/traefik-server/templates/traefik.service.j2 new file mode 100644 index 0000000..14bc403 --- /dev/null +++ b/ansible/roles/traefik-server/templates/traefik.service.j2 @@ -0,0 +1,52 @@ +[Unit] +Description=traefik proxy +After=network-online.target +Wants=network-online.target systemd-networkd-wait-online.service + +AssertFileIsExecutable=/usr/local/bin/traefik +AssertPathExists=/etc/traefik/traefik.toml + +[Service] +Restart=on-abnormal + +#User=traefik +#Group=traefik + +; Always set "-root" to something safe in case it gets forgotten in the traefikfile. +ExecStart=/usr/local/bin/traefik --configfile=/etc/traefik/traefik.toml + +; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. +LimitNOFILE=1048576 + +; Use private /tmp and /var/tmp, which are discarded after traefik stops. +PrivateTmp=true + +; Use a minimal /dev (May bring additional security if switched to 'true') +PrivateDevices=true + +; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. +ProtectHome=true + +; Make /usr, /boot, /etc and possibly some more folders read-only. +ProtectSystem=full + +; ... except /etc/ssl/traefik, because we want Letsencrypt-certificates there. +; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! +#ReadWriteDirectories=/etc/traefik/acme + +; The following additional security directives only work with systemd v229 or later. +; They further restrict privileges that can be gained by traefik. Uncomment if you like. +; Note that you may have to add capabilities required by any plugins in use. +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE +NoNewPrivileges=true +{% set env=traefik_environment.items()|default({}) %} +{% if env %} + +{% for k, v in env %} +Environment="{{ k }}={{ v }}" +{% endfor %} +{% endif %} + +[Install] +WantedBy=multi-user.target |