Skip to content

Commit

Permalink
Enable CAP_NET_ADMIN (#98)
Browse files Browse the repository at this point in the history 
* Add CAP_NET_ADMIN

* Update readme
  • Loading branch information
@otbutz
otbutz authored May 30, 2023
1 parent 5ded535 commit 5910351
Show file tree
Hide file tree
Showing 3 changed files with 3 additions and 3 deletions.
2 changes: 1 addition & 1 deletion init/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,4 +65,4 @@ To keep our unit files tidy, we haven't littered them with comments. So here we
- **`LimitNPROC=512`** raises the number of threads caddy is allowed to have (`ulimit -u`). Obviously, setting this too low for a highly concurrent server is a bad idea.
- **`PrivateTmp=true`** keeps /tmp and /var/tmp private, which are discarded after caddy stops.
- **`ProtectSystem=full`** allows writing to /var, which is crucial so that it can store certificates and other data for your site.
- **`AmbientCapabilities=CAP_NET_BIND_SERVICE`** allows caddy to bind to low ports (< 1024) without running as root.
- **`AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE`** allows caddy to modify socket options and bind to low ports (< 1024) without running as root.
2 changes: 1 addition & 1 deletion init/caddy-api.service
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target
2 changes: 1 addition & 1 deletion init/caddy.service
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

0 comments on commit 5910351

Please sign in to comment.