ansible_role_acmetool/templates/acmetool.service.j2

[Unit]
Description=Reconcile Let's Encrypt certificates
Documentation=man:acmetool(8)
After=nss-lookup.target
After={{ acme_systemd_start_after }}

[Service]
Type=oneshot
ExecStart=/usr/bin/acmetool --batch reconcile
TimeoutStartSec=5min
CapabilityBoundingSet=CAP_CHOWN CAP_NET_BIND_SERVICE
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ReadWritePaths=/var/lib/acme /run/acme /etc/nginx
ProtectHome=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
Manage systemd by acmetool 2021-09-30 02:30:42 +02:00			`[Unit]`
			`Description=Reconcile Let's Encrypt certificates`
			`Documentation=man:acmetool(8)`
			`After=nss-lookup.target`
			`After={{ acme_systemd_start_after }}`

			`[Service]`
			`Type=oneshot`
			`ExecStart=/usr/bin/acmetool --batch reconcile`
			`TimeoutStartSec=5min`
			`CapabilityBoundingSet=CAP_CHOWN CAP_NET_BIND_SERVICE`
			`NoNewPrivileges=yes`
			`PrivateTmp=yes`
			`PrivateDevices=yes`
			`ProtectSystem=strict`
			`ReadWritePaths=/var/lib/acme /run/acme /etc/nginx`
			`ProtectHome=yes`
			`ProtectKernelTunables=yes`
			`ProtectControlGroups=yes`
			`RestrictRealtime=yes`
			`RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6`