1 files changed, 52 insertions, 0 deletions

diff --git a/ansible/roles/traefik-server/templates/traefik.service.j2 b/ansible/roles/traefik-server/templates/traefik.service.j2
new file mode 100644
index 0000000..14bc403
--- /dev/null
+++ b/ansible/roles/traefik-server/templates/traefik.service.j2
@@ -0,0 +1,52 @@
+[Unit]
+Description=traefik proxy
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+AssertFileIsExecutable=/usr/local/bin/traefik
+AssertPathExists=/etc/traefik/traefik.toml
+
+[Service]
+Restart=on-abnormal
+
+#User=traefik
+#Group=traefik
+
+; Always set "-root" to something safe in case it gets forgotten in the traefikfile.
+ExecStart=/usr/local/bin/traefik --configfile=/etc/traefik/traefik.toml
+
+; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
+LimitNOFILE=1048576
+
+; Use private /tmp and /var/tmp, which are discarded after traefik stops.
+PrivateTmp=true
+
+; Use a minimal /dev (May bring additional security if switched to 'true')
+PrivateDevices=true
+
+; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
+ProtectHome=true
+
+; Make /usr, /boot, /etc and possibly some more folders read-only.
+ProtectSystem=full
+
+; ... except /etc/ssl/traefik, because we want Letsencrypt-certificates there.
+;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
+#ReadWriteDirectories=/etc/traefik/acme
+
+; The following additional security directives only work with systemd v229 or later.
+; They further restrict privileges that can be gained by traefik. Uncomment if you like.
+; Note that you may have to add capabilities required by any plugins in use.
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+{% set env=traefik_environment.items()|default({}) %}
+{% if env %}
+
+{% for k, v in env %}
+Environment="{{ k }}={{ v }}"
+{% endfor %}
+{% endif %}
+
+[Install]
+WantedBy=multi-user.target