|
@ -0,0 +1,38 @@ |
|
|
|
|
|
[Unit] |
|
|
|
|
|
Description=ACME client daemon |
|
|
|
|
|
After=network.target |
|
|
|
|
|
ConditionPathExists=/etc/acmed/acmed.toml |
|
|
|
|
|
Documentation=man:acmed.toml(5) man:acmed(8) https://github.com/breard-r/acmed/wiki |
|
|
|
|
|
|
|
|
|
|
|
[Service] |
|
|
|
|
|
User=%i |
|
|
|
|
|
|
|
|
|
|
|
# Working directory (acmed home path) |
|
|
|
|
|
WorkingDirectory=/var/lib/acmed |
|
|
|
|
|
RuntimeDirectory=acmed |
|
|
|
|
|
|
|
|
|
|
|
# daemon handling: start, stop, timeouts |
|
|
|
|
|
ExecStart=/usr/bin/acmed --foreground --config /etc/acmed/acmed.toml --pid-file /run/acmed/acmed.pid --log-syslog --log-level info |
|
|
|
|
|
TimeoutStartSec=3 |
|
|
|
|
|
TimeoutStopSec=5 |
|
|
|
|
|
Restart=on-failure |
|
|
|
|
|
KillSignal=SIGINT |
|
|
|
|
|
|
|
|
|
|
|
# Sandboxing: reduce privileges on filesystem and kernel-space |
|
|
|
|
|
# restrict write access to acmed's directories with variable data |
|
|
|
|
|
NoNewPrivileges=yes |
|
|
|
|
|
PrivateDevices=yes |
|
|
|
|
|
PrivateTmp=yes |
|
|
|
|
|
ProtectClock=yes |
|
|
|
|
|
ProtectHostname=yes |
|
|
|
|
|
ProtectKernelTunables=yes |
|
|
|
|
|
ProtectKernelModules=yes |
|
|
|
|
|
ProtectKernelLogs=yes |
|
|
|
|
|
ProtectSystem=yes |
|
|
|
|
|
ReadWritePaths=/etc/acmed /var/lib/acmed |
|
|
|
|
|
RestrictRealtime=yes |
|
|
|
|
|
RestrictSUIDSGID=yes |
|
|
|
|
|
SystemCallFilter=@system-service |
|
|
|
|
|
|
|
|
|
|
|
[Install] |
|
|
|
|
|
WantedBy=multi-user.target |