diff --git a/init/README.md b/init/README.md index d26328b..dbeec70 100644 --- a/init/README.md +++ b/init/README.md @@ -62,7 +62,7 @@ To keep our unit files tidy, we haven't littered them with comments. So here we - **`After=network.target network-online.target`** and **`Requires=network-online.target`** ensures that the network interfaces are online before Caddy starts. This is necessary because Caddy uses the network to obtain certificates and serve your site over TLS. Specifically, `network-online.target` is needed for the many users who bind listeners to specific network interfaces. - **`TimeoutStopSec=5s`** will forcibly kill the caddy process if it cannot gracefully shut down within this time limit. We figure, if you're stopping the server anyway (as opposed to reloading -- two very distinct operations!) then stopping gracefully is less important than stopping at all. - **`LimitNOFILE=1048576`** raises the file descriptor limit for the caddy process (`ulimit -n`). This is very important for busy sites, or for servers which need to keep connections open longer. This is the [maximum allowed value](https://stackoverflow.com/a/1213069/1048862) for some popular Linux distros. -- **`LimitNPROC=512`** raises the number of threads caddy is allowed to have (`ulimit -u`). Obviously, setting this too low for a highly concurrent server is a bad idea. +- **`TasksMax=512`** raises the number of threads caddy is allowed to have (`ulimit -u`). Obviously, setting this too low for a highly concurrent server is a bad idea. - **`PrivateTmp=true`** keeps /tmp and /var/tmp private, which are discarded after caddy stops. - **`ProtectSystem=full`** allows writing to /var, which is crucial so that it can store certificates and other data for your site. - **`AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE`** allows caddy to modify socket options and bind to low ports (< 1024) without running as root. diff --git a/init/caddy-api.service b/init/caddy-api.service index ce32ff6..6c8a0f1 100644 --- a/init/caddy-api.service +++ b/init/caddy-api.service @@ -20,6 +20,7 @@ Group=caddy ExecStart=/usr/bin/caddy run --environ --resume TimeoutStopSec=5s LimitNOFILE=1048576 +TasksMax=512 PrivateTmp=true ProtectSystem=full AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE diff --git a/init/caddy.service b/init/caddy.service index 1292e12..30ca048 100644 --- a/init/caddy.service +++ b/init/caddy.service @@ -27,6 +27,7 @@ ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force TimeoutStopSec=5s LimitNOFILE=1048576 +TasksMax=512 PrivateTmp=true ProtectSystem=full AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE