[Service]
CapabilityBoundingSet=
CPUSchedulingPolicy=batch
ExecStart=
ExecStart=/usr/bin/certbot -q renew --no-random-sleep-on-renew
LockPersonality=true
MemoryDenyWriteExecute=true
PrivateDevices=true
PrivateIPC=true
PrivateUsers=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=read-only
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt -/srv/certbot -/etc/nginx/ocsp-cache
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@resources @obsolete