mirror of https://github.com/breard-r/acmed.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
48 lines
1.3 KiB
48 lines
1.3 KiB
[Unit]
|
|
Description=ACME client daemon
|
|
After=network.target
|
|
|
|
[Service]
|
|
User=acmed
|
|
Group=acmed
|
|
|
|
# Root directory used to store challenges
|
|
# prefered: preset HTTP_ROOT env in hooks
|
|
#Environment="HTTP_ROOT=/var/lib/acmed/domains"
|
|
#Environment="NGINX_CONFDIR=/etc/nginx/conf.d"
|
|
#Environment="NGINX_CHALLENGE_LOCATION="001-challenge-letsencrypt.conf"
|
|
#Environment="NGINX_TLS_CERTIFICATE="001-tls-certificates.conf"
|
|
|
|
|
|
# ACMEd home directory
|
|
WorkingDirectory=/var/lib/acmed
|
|
|
|
# ACMEd runtime diretory storing pid file
|
|
RuntimeDirectory=acmed
|
|
|
|
# daemon handling: start, stop, timeouts
|
|
#ExecStart=/usr/bin/acmed --foreground --pid-file /run/acmed/acmed.pid --log-level trace --log-stderr
|
|
ExecStart=/usr/bin/acmed --foreground --pid-file /run/acmed/acmed.pid --log-level warn
|
|
TimeoutStartSec=3
|
|
TimeoutStopSec=5
|
|
Restart=on-failure
|
|
KillSignal=SIGINT
|
|
|
|
# Sandboxing: reduce privileges on filesystem and kernel-space
|
|
# restrict write access to directories, where acmed will store variable data
|
|
NoNewPrivileges=yes
|
|
PrivateDevices=yes
|
|
PrivateTmp=yes
|
|
PrivateUsers=yes
|
|
ProtectClock=yes
|
|
ProtectHostname=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectSystem=strict
|
|
ReadWritePaths=/etc/acmed /etc/nginx/conf.d /var/lib/acmed
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
SystemCallFilter=@system-service
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|