1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[Unit]
Description=Reconcile Let's Encrypt certificates
Documentation=man:acmetool(8)
After=nss-lookup.target
After=apache2.service nginx.service
[Service]
Type=oneshot
ExecStart=/usr/bin/acmetool --batch reconcile
TimeoutStartSec=5min
CapabilityBoundingSet=CAP_CHOWN CAP_NET_BIND_SERVICE
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ReadWritePaths=/var/lib/acme /run/acme
ProtectHome=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
