Browse Source

Add example systemd service file

pull/30/head
Danilo Bargen 5 years ago
parent
commit
fad514c1ee
  1. 5
      README.md
  2. 29
      acmed.service.example

5
README.md

@ -97,11 +97,14 @@ Running ACMEd as root is the simplest configuration since you do not have to wor
However, if you are concerned with safety, you should create a dedicated user for ACMEd. Before doing so, please consider the following points: "Will your services be able to read both the private key and the certificate?" and "Will the ACMEd user be able to execute the hooks?". The later could be achieved using sudo or Polkit.
### Why is there no option to run ACMEd as a specific user or group?
The reason some services has such an option is because at startup they may have to load data only accessible by root, hence they have to change the user themselves after those data are loaded. For example, this is wildly used in web servers so they load a private key, which should only be accessible by root. Since ACMEd does not have such requirement, it should be run directly as the correct user.
### How can I run ACMEd with systemd?
An example service file is provided (see `acmed.service.example`). The file might need adjustments in order to work on your system (e.g. binary path, user, group, directories...), but it's probably a good starting point.
### Is it suitable for beginners?
It depends on your definition of a beginner. This software is intended to be used by system administrator with a certain knowledge of their environment. Furthermore, it is also expected to know the bases of the ACME protocol. Let's Encrypt wrote a nice article about [how it works](https://letsencrypt.org/how-it-works/).

29
acmed.service.example

@ -0,0 +1,29 @@
# systemd example unit file. Please adjust.
[Unit]
Description=ACME client daemon
After=network.target
[Service]
User=acmed
Group=acmed
# Working directory
WorkingDirectory=/etc/acmed
# Starting, stopping, timeouts
ExecStart=/usr/local/bin/acmed --foreground --pid-file /etc/acmed/acmed.pid --log-level debug --log-stderr
TimeoutStartSec=3
TimeoutStopSec=5
Restart=on-failure
KillSignal=SIGINT
# Sandboxing, reduce privileges, only allow write access to working directory
NoNewPrivileges=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectSystem=strict
ReadWritePaths=/etc/acmed/
[Install]
WantedBy=multi-user.target
Loading…
Cancel
Save