[Unit] Description=Traefik Documentation=https://doc.traefik.io/traefik/ After=network-online.target Wants=network-online.target systemd-networkd-wait-online.service [Service] User=traefik LimitNOFILE=4096 User=traefik AmbientCapabilities=CAP_NET_BIND_SERVICE Restart=always WatchdogSec=1s ExecStart=/usr/bin/traefik --configfile=/etc/traefik/traefik.yaml # lock down system access # prohibit any operating system and configuration modification #ProtectSystem=strict # create separate, new (and empty) /tmp and /var/tmp filesystems #PrivateTmp=true # make /home directories inaccessible #ProtectHome=true # turns off access to physical devices (/dev/...) #PrivateDevices=true # make kernel settings (procfs and sysfs) read-only #ProtectKernelTunables=true # make cgroups /sys/fs/cgroup read-only #ProtectControlGroups=true # allow writing of acme.json #ReadWritePaths=/etc/traefik/acme.json # depending on log and entrypoint configuration, you may need to allow writing to other paths, too # limit number of processes in this unit #LimitNPROC=1 [Install] WantedBy=multi-user.target