[Unit]
Description=ACME client daemon
After=network.target
ConditionPathExists=/etc/acmed/acmed.toml
Documentation=man:acmed.toml(5) man:acmed(8) https://github.com/breard-r/acmed/wiki

[Service]
User=%i

# Working directory (acmed home path)
WorkingDirectory=/var/lib/acmed
RuntimeDirectory=acmed

# daemon handling: start, stop, timeouts
ExecStart=/usr/bin/acmed --foreground --config /etc/acmed/acmed.toml --pid-file /run/acmed/acmed.pid --log-syslog --log-level info
TimeoutStartSec=3
TimeoutStopSec=5
Restart=on-failure
KillSignal=SIGINT

# Sandboxing: reduce privileges on filesystem and kernel-space
# restrict write access to acmed's directories with variable data
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectHostname=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectSystem=yes
ReadWritePaths=/etc/acmed /var/lib/acmed
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target