[Unit]
Description=ACME client daemon
After=network.target

[Service]
User=acmed
Group=acmed

# Root directory used to store challenges
# prefered: preset HTTP_ROOT env in hooks
#Environment="HTTP_ROOT=/var/lib/acmed/domains"
#Environment="NGINX_CONFDIR=/etc/nginx/conf.d"
#Environment="NGINX_CHALLENGE_LOCATION="001-challenge-letsencrypt.conf"
#Environment="NGINX_TLS_CERTIFICATE="001-tls-certificates.conf"


# ACMEd home directory
WorkingDirectory=/var/lib/acmed

# ACMEd runtime diretory storing pid file
RuntimeDirectory=acmed

# daemon handling: start, stop, timeouts
#ExecStart=/usr/bin/acmed --foreground --pid-file /run/acmed/acmed.pid --log-level trace --log-stderr
ExecStart=/usr/bin/acmed --foreground --pid-file /run/acmed/acmed.pid --log-level warn
TimeoutStartSec=3
TimeoutStopSec=5
Restart=on-failure
KillSignal=SIGINT

# Sandboxing: reduce privileges on filesystem and kernel-space
# restrict write access to directories, where acmed will store variable data
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectHostname=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict
ReadWritePaths=/etc/acmed /etc/nginx/conf.d /var/lib/acmed
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target