Thermi/acme.service

## acme.service
[Unit]
Description = update Let's Encrypt certificates

[Service]
ExecStart=/usr/bin/acmetool --batch reconcile
ExecStartPost=/usr/bin/systemctl reload nginx
ExecStartPost=/usr/bin/cp /var/lib/acme/live/thermi.strangled.net/haproxy /var/lib/znc/.znc/certs/znc_whole_chain.pem
ExecStartPost=/usr/bin/chown znc:znc /var/lib/znc/.znc/certs/znc_whole_chain.pem
ExecStartPost=/usr/bin/chmod 600 /var/lib/znc/.znc/certs/znc_whole_chain.pem

PermissionsStartOnly=True
User=acme
Group=acme
PrivateTmp=True
PrivateDevices=True
ProtectSystem=True
ProtectHome=True
NoNewPrivileges=True

## acme.timer
[Unit]
Description=Timer unit to update certificates every hour at 48 minutes
After=connection.service

[Timer]
OnCalendar = *-*-* *:48:00
Unit = acme.service
Persistent = True

[Install]
WantedBy=multi-user.target

## usage notes
To make use of the `User=acme` and `Group=acme`parts of the service unit, you need to create those first.
The best thing for that is to create it with `useradd -r -d /var/empty -M acme`.
That creates the user and group "acme" in the system users UID and GID range.
This makes the user "acme" not show up on a possible login screen (if you use a GUI).
The purpose of the other flags is perfectly well explained on the man page for `useradd`.
The commands listed in `ExecStartPost` are system dependent and need to be adjusted to your specific use case.

The architecture of this is as follows:
When the timer Unit is enabled and started, it makes systemd start the `acme.service` unit every hour at 48 minutes.
This mimicks the behaviour of the cronjob that acmetool optionally installs.
To enable it, use `systemctl enacle acme.timer`.
You can also manually start the service unit with `systemctl start acme.service` (or with `systemctl start acme`).
	[Unit]
	Description = update Let's Encrypt certificates

	[Service]
	ExecStart=/usr/bin/acmetool --batch reconcile
	ExecStartPost=/usr/bin/systemctl reload nginx
	ExecStartPost=/usr/bin/cp /var/lib/acme/live/thermi.strangled.net/haproxy /var/lib/znc/.znc/certs/znc_whole_chain.pem
	ExecStartPost=/usr/bin/chown znc:znc /var/lib/znc/.znc/certs/znc_whole_chain.pem
	ExecStartPost=/usr/bin/chmod 600 /var/lib/znc/.znc/certs/znc_whole_chain.pem

	PermissionsStartOnly=True
	User=acme
	Group=acme
	PrivateTmp=True
	PrivateDevices=True
	ProtectSystem=True
	ProtectHome=True
	NoNewPrivileges=True
	[Unit]
	Description=Timer unit to update certificates every hour at 48 minutes
	After=connection.service

	[Timer]
	OnCalendar = --* *:48:00
	Unit = acme.service
	Persistent = True

	[Install]
	WantedBy=multi-user.target
	To make use of the `User=acme` and `Group=acme`parts of the service unit, you need to create those first.
	The best thing for that is to create it with `useradd -r -d /var/empty -M acme`.
	That creates the user and group "acme" in the system users UID and GID range.
	This makes the user "acme" not show up on a possible login screen (if you use a GUI).
	The purpose of the other flags is perfectly well explained on the man page for `useradd`.
	The commands listed in `ExecStartPost` are system dependent and need to be adjusted to your specific use case.

	The architecture of this is as follows:
	When the timer Unit is enabled and started, it makes systemd start the `acme.service` unit every hour at 48 minutes.
	This mimicks the behaviour of the cronjob that acmetool optionally installs.
	To enable it, use `systemctl enacle acme.timer`.
	You can also manually start the service unit with `systemctl start acme.service` (or with `systemctl start acme`).