[Unit]
Description=traefik proxy
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

AssertFileIsExecutable=/usr/local/bin/traefik
AssertPathExists=/etc/traefik/traefik.toml

[Service]
Restart=on-abnormal

#User=traefik
#Group=traefik

; Always set "-root" to something safe in case it gets forgotten in the traefikfile.
ExecStart=/usr/local/bin/traefik --configfile=/etc/traefik/traefik.toml

; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576

; Use private /tmp and /var/tmp, which are discarded after traefik stops.
PrivateTmp=true

; Use a minimal /dev (May bring additional security if switched to 'true')
PrivateDevices=true

; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true

; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full

; ... except /etc/ssl/traefik, because we want Letsencrypt-certificates there.
;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
#ReadWriteDirectories=/etc/traefik/acme

; The following additional security directives only work with systemd v229 or later.
; They further restrict privileges that can be gained by traefik. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
{% set env=traefik_environment.items()|default({}) %}
{% if env %}

{% for k, v in env %}
Environment="{{ k }}={{ v }}"
{% endfor %}
{% endif %}

[Install]
WantedBy=multi-user.target