1 files changed, 18 insertions, 0 deletions

diff --git a/roles/x509/uacme/base/templates/uacme-reconcile.service.j2 b/roles/x509/uacme/base/templates/uacme-reconcile.service.j2
new file mode 100644
index 00000000..c2fe917a
--- /dev/null
+++ b/roles/x509/uacme/base/templates/uacme-reconcile.service.j2
@@ -0,0 +1,18 @@
+[Unit]
+Description=Reconcile Let's Encrypt certificates using uacme
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/uacme-reconcile.sh
+TimeoutStartSec=5min
+CapabilityBoundingSet=CAP_CHOWN CAP_NET_BIND_SERVICE
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+ReadWritePaths=/var/lib/uacme.d {{ uacme_challenge_webroot_path | default('/var/run/acme/acme-challenge') }}
+ProtectHome=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+RestrictRealtime=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6