[Unit]
Description=Reconcile Let's Encrypt certificates
Documentation=man:acmetool(8)
After=nss-lookup.target apache2.service nginx.service openresty.service

[Service]
Type=oneshot
ExecStart=/usr/bin/acmetool --batch reconcile
TimeoutStartSec=5min
CapabilityBoundingSet=CAP_CHOWN CAP_NET_BIND_SERVICE
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ReadWritePaths=/var/lib/acme /run/acme
ProtectHome=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6