[Unit] Description=Fetch HTTPS certificate from Kubernetes Secret API Wants=network-online.target After=network-online.target [Service] Type=oneshot ExecStart=/bin/sh /etc/fetchcert/fetchcert.sh default pyrocufflink-cert ProtectSystem=strict ReadWritePaths=/etc/pki/nginx CapabilityBoundingSet=CAP_CHOWN DeviceAllow= DevicePolicy=closed LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes PrivateUsers=yes PrivateTmp=yes ProcSubset=pid ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectProc=invisible ProtectSystem=strict RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes SystemCallArchitectures=native SystemCallFilter=@system-service SystemCallFilter=~@privileged @resources