§2023-04-12


試作機器: h2nas01.yushei.net running archlinux

  1. pacman
$ sudo pacman -S caddy
...
Detected unsafe path transition /etc/elasticsearch (owned by elasticsearch) → /etc/elasticsearch/jvm.options (owned by root) during canonicalization of etc/elasticsearch/jvm.options.
$ pacman -Qo /etc/elasticsearch/
/etc/elasticsearch/ is owned by elasticsearch 8.6.0-5
$ sudo pacman -Rns elasticsearch
$ pacman -Qo /etc/elasticsearch/
error: No package owns /etc/elasticsearch
$ sudo rm -rf /etc/elasticsearch/
$ sudo pacman -Rns caddy
$ sudo pacman -S caddy

$ pacman -Ql caddy
caddy /etc/
caddy /etc/caddy/
caddy /etc/caddy/Caddyfile
caddy /etc/caddy/conf.d/
caddy /usr/
caddy /usr/bin/
caddy /usr/bin/caddy
caddy /usr/lib/
caddy /usr/lib/systemd/
caddy /usr/lib/systemd/system/
caddy /usr/lib/systemd/system/caddy-api.service
caddy /usr/lib/systemd/system/caddy.service
caddy /usr/lib/sysusers.d/
caddy /usr/lib/sysusers.d/caddy.conf
caddy /usr/lib/tmpfiles.d/
caddy /usr/lib/tmpfiles.d/caddy.conf
caddy /usr/share/
caddy /usr/share/bash-completion/
caddy /usr/share/bash-completion/completions/
caddy /usr/share/bash-completion/completions/caddy
caddy /usr/share/caddy/
caddy /usr/share/caddy/index.html
caddy /usr/share/fish/
caddy /usr/share/fish/vendor_completions.d/
caddy /usr/share/fish/vendor_completions.d/caddy.fish
caddy /usr/share/zsh/
caddy /usr/share/zsh/site-functions/
caddy /usr/share/zsh/site-functions/_caddy
  1. /usr/lib/systemd/system/caddy.service as
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy web server
Documentation=https://caddyserver.com/docs/
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
StartLimitIntervalSec=14400
StartLimitBurst=10

[Service]
Type=notify
User=caddy
Group=caddy
Environment=XDG_DATA_HOME=/var/lib
Environment=XDG_CONFIG_HOME=/etc
ExecStartPre=/usr/bin/caddy validate --config /etc/caddy/Caddyfile
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
ExecStopPost=/usr/bin/rm -f /run/caddy/admin.socket

# Do not allow the process to be restarted in a tight loop. If the
# process fails to start, something critical needs to be fixed.
Restart=on-abnormal

# Use graceful shutdown with a reasonable timeout
TimeoutStopSec=5s

LimitNOFILE=1048576
LimitNPROC=512

# Hardening options
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DevicePolicy=closed
LockPersonality=true
MemoryAccounting=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
ReadWritePaths=/var/lib/caddy /var/log/caddy /run/caddy
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true

[Install]
WantedBy=multi-user.target
  1. cat /etc/caddy/Caddyfile
# The Caddyfile is an easy way to configure your Caddy web server.
#
# https://caddyserver.com/docs/caddyfile
#
# The configuration below serves a welcome page over HTTP on port 80.
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace the line below with your
# domain name.
#
# https://caddyserver.com/docs/caddyfile/concepts#addresses

{
	# Restrict the admin interface to a local unix file socket whose directory
	# is restricted to caddy:caddy. By default the TCP socket allows arbitrary
	# modification for any process and user that has access to the local
	# interface. If admin over TCP is turned on one should make sure
	# implications are well understood.
	admin "unix//run/caddy/admin.socket"
}

http:// {
	# Set this path to your site's directory.
	root * /usr/share/caddy

	# Enable the static file server.
	file_server

	# Another common task is to set up a reverse proxy:
	# reverse_proxy localhost:8080

	# Or serve a PHP site through php-fpm:
	# php_fastcgi localhost:9000

	# Refer to the directive documentation for more options.
	# https://caddyserver.com/docs/caddyfile/directives
}

# Import additional caddy config files in /etc/caddy/conf.d/
import /etc/caddy/conf.d/*