From 596d55a48633e0017bbba3e89145f1c0f3262479 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rodolphe=20Br=C3=A9ard?= Date: Sun, 17 Apr 2022 10:49:05 +0200 Subject: [PATCH] Add the acmed@user.service systemd unit configuration --- CHANGELOG.md | 3 +++ contrib/systemd/acmed@.service | 38 ++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 contrib/systemd/acmed@.service diff --git a/CHANGELOG.md b/CHANGELOG.md index 6bfb818..3ba65f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Added +- The `acmed@user.service` systemd unit configuration has been added as an alternative to the `acmed.service` unit. + ### Changed - The minimal required Rust version is now 1.46. diff --git a/contrib/systemd/acmed@.service b/contrib/systemd/acmed@.service new file mode 100644 index 0000000..89e0e53 --- /dev/null +++ b/contrib/systemd/acmed@.service @@ -0,0 +1,38 @@ +[Unit] +Description=ACME client daemon +After=network.target +ConditionPathExists=/etc/acmed/acmed.toml +Documentation=man:acmed.toml(5) man:acmed(8) https://github.com/breard-r/acmed/wiki + +[Service] +User=%i + +# Working directory (acmed home path) +WorkingDirectory=/var/lib/acmed +RuntimeDirectory=acmed + +# daemon handling: start, stop, timeouts +ExecStart=/usr/bin/acmed --foreground --config /etc/acmed/acmed.toml --pid-file /run/acmed/acmed.pid --log-syslog --log-level info +TimeoutStartSec=3 +TimeoutStopSec=5 +Restart=on-failure +KillSignal=SIGINT + +# Sandboxing: reduce privileges on filesystem and kernel-space +# restrict write access to acmed's directories with variable data +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +ProtectClock=yes +ProtectHostname=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectSystem=yes +ReadWritePaths=/etc/acmed /var/lib/acmed +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallFilter=@system-service + +[Install] +WantedBy=multi-user.target