[Unit]
Description=ACMEserver
After=network.target

[Service]
User=acmeserver
Group=acmeserver
EnvironmentFile=-/etc/default/acmeserver
ExecStart=/usr/bin/acmeserver --addr $ADDR
ExecReload=/bin/kill -HUP $MAINPID
Restart=always

# Hardening
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=/var/lib/acme
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target