Ryiski · January 14, 2024 21:22 · Jul 6, 2019 · Jun 25, 2018 · Jun 25, 2018
diff --git a/readme.md b/readme.md
@@ -1,6 +1,6 @@
 # systemd Service Unit for Traefik
 
-Adapted from [traefik systemd Service Unit](https://github.com/mholt/traefik/tree/e2635666730e24bfbc2408811be089502338cbc4/dist/init/linux-systemd)
+Adapted from [caddy systemd Service Unit](https://github.com/mholt/caddy/tree/e2635666730e24bfbc2408811be089502338cbc4/dist/init/linux-systemd)
 
 The provided file should work with systemd version 219 or later. It might work with earlier versions.
 The easiest way to check your systemd version is to run `systemctl --version`.
@@ -39,8 +39,6 @@ sudo useradd \
   --shell /usr/sbin/nologin \
   --system --uid 321 traefik
 
-sudo usermod -aG docker traefik
-
 sudo mkdir /etc/traefik
 sudo mkdir /etc/traefik/acme
 sudo chown -R root:root /etc/traefik

diff --git a/readme.md b/readme.md
@@ -42,7 +42,9 @@ sudo useradd \
 sudo usermod -aG docker traefik
 
 sudo mkdir /etc/traefik
+sudo mkdir /etc/traefik/acme
 sudo chown -R root:root /etc/traefik
+sudo chown -R traefik:traefik /etc/traefik/acme
 ```
 
 Place your traefik configuration file ("traefik.toml") in the proper directory

diff --git a/readme.md b/readme.md
@@ -0,0 +1,86 @@
+# systemd Service Unit for Traefik
+
+Adapted from [traefik systemd Service Unit](https://github.com/mholt/traefik/tree/e2635666730e24bfbc2408811be089502338cbc4/dist/init/linux-systemd)
+
+The provided file should work with systemd version 219 or later. It might work with earlier versions.
+The easiest way to check your systemd version is to run `systemctl --version`.
+
+## Instructions
+
+We will assume the following:
+
+* that you want to run traefik as user `traefik` and group `traefik`, with UID and GID 321
+* you are working from a non-root user account that can use 'sudo' to execute commands as root
+
+Adjust as necessary or according to your preferences.
+
+First, put the traefik binary in the system wide binary directory and give it
+appropriate ownership and permissions:
+
+```bash
+sudo cp /path/to/traefik /usr/local/bin
+sudo chown root:root /usr/local/bin/traefik
+sudo chmod 755 /usr/local/bin/traefik
+```
+
+Give the traefik binary the ability to bind to privileged ports (e.g. 80, 443) as a non-root user:
+
+```bash
+sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/traefik
+```
+
+Set up the user, group, and directories that will be needed:
+
+```bash
+sudo groupadd -g 321 traefik
+sudo useradd \
+  -g traefik --no-user-group \
+  --home-dir /var/www --no-create-home \
+  --shell /usr/sbin/nologin \
+  --system --uid 321 traefik
+
+sudo usermod -aG docker traefik
+
+sudo mkdir /etc/traefik
+sudo chown -R root:root /etc/traefik
+```
+
+Place your traefik configuration file ("traefik.toml") in the proper directory
+and give it appropriate ownership and permissions:
+
+```bash
+sudo cp /path/to/traefik.toml /etc/traefik/
+sudo chown root:root /etc/traefik/traefik.toml
+sudo chmod 644 /etc/traefik/traefik.toml
+```
+
+Install the systemd service unit configuration file, reload the systemd daemon,
+and start traefik:
+
+```bash
+sudo cp /path/to/traefik.service /etc/systemd/system/
+sudo chown root:root /etc/systemd/system/traefik.service
+sudo chmod 644 /etc/systemd/system/traefik.service
+sudo systemctl daemon-reload
+sudo systemctl start traefik.service
+```
+
+Have the traefik service start automatically on boot if you like:
+
+```bash
+sudo systemctl enable traefik.service
+```
+
+If traefik doesn't seem to start properly you can view the log data to help figure out what the problem is:
+
+```bash
+journalctl --boot -u traefik.service
+```
+
+If your GNU/Linux distribution does not use *journald* with *systemd* then check any logfiles in `/var/log`.
+
+If you want to follow the latest logs from traefik you can do so like this:
+
+```bash
+journalctl -f -u traefik.service
+```
diff --git a/traefik.service b/traefik.service
@@ -0,0 +1,39 @@
+[Unit]
+Description=traefik proxy
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+Restart=on-abnormal
+
+; User and group the process will run as.
+User=traefik
+Group=traefik
+
+; Always set "-root" to something safe in case it gets forgotten in the traefikfile.
+ExecStart=/usr/local/bin/traefik --configfile=/etc/traefik/traefik.toml
+
+; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
+LimitNOFILE=1048576
+
+; Use private /tmp and /var/tmp, which are discarded after traefik stops.
+PrivateTmp=true
+; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
+PrivateDevices=false
+; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
+ProtectHome=true
+; Make /usr, /boot, /etc and possibly some more folders read-only.
+ProtectSystem=full
+; … except /etc/ssl/traefik, because we want Letsencrypt-certificates there.
+;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
+ReadWriteDirectories=/etc/traefik/acme
+
+; The following additional security directives only work with systemd v229 or later.
+; They further restrict privileges that can be gained by traefik. Uncomment if you like.
+; Note that you may have to add capabilities required by any plugins in use.
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target