Browse Source

Add the acmed@user.service systemd unit configuration

pull/57/head
Rodolphe Bréard 3 years ago
parent
commit
596d55a486
  1. 3
      CHANGELOG.md
  2. 38
      contrib/systemd/acmed@.service

3
CHANGELOG.md

@ -14,6 +14,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased] ## [Unreleased]
### Added
- The `acmed@user.service` systemd unit configuration has been added as an alternative to the `acmed.service` unit.
### Changed ### Changed
- The minimal required Rust version is now 1.46. - The minimal required Rust version is now 1.46.

38
contrib/systemd/acmed@.service

@ -0,0 +1,38 @@
[Unit]
Description=ACME client daemon
After=network.target
ConditionPathExists=/etc/acmed/acmed.toml
Documentation=man:acmed.toml(5) man:acmed(8) https://github.com/breard-r/acmed/wiki
[Service]
User=%i
# Working directory (acmed home path)
WorkingDirectory=/var/lib/acmed
RuntimeDirectory=acmed
# daemon handling: start, stop, timeouts
ExecStart=/usr/bin/acmed --foreground --config /etc/acmed/acmed.toml --pid-file /run/acmed/acmed.pid --log-syslog --log-level info
TimeoutStartSec=3
TimeoutStopSec=5
Restart=on-failure
KillSignal=SIGINT
# Sandboxing: reduce privileges on filesystem and kernel-space
# restrict write access to acmed's directories with variable data
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectHostname=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectSystem=yes
ReadWritePaths=/etc/acmed /var/lib/acmed
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallFilter=@system-service
[Install]
WantedBy=multi-user.target
Loading…
Cancel
Save