[Unit]
Description=Reconcile Let's Encrypt certificates using uacme

[Service]
Type=oneshot
ExecStart=/usr/local/bin/uacme-reconcile.sh
TimeoutStartSec=5min
CapabilityBoundingSet=CAP_CHOWN CAP_NET_BIND_SERVICE
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ReadWritePaths=/var/lib/uacme.d {{ uacme_challenge_webroot_path | default('/var/run/acme/acme-challenge') }}
ProtectHome=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6