[Unit]
Description=Cockpit Web Service
Documentation=man:cockpit-ws(8)
Requires=cockpit.socket
Requires=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket
# we need to start after the sockets so that we can instantly forward incoming requests
After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket

[Service]
RuntimeDirectory=cockpit/tls
ExecStartPre=+/usr/libexec/cockpit-certificate-ensure --for-cockpit-tls
ExecStart=/usr/libexec/cockpit-tls
DynamicUser=yes
# otherwise systemd uses 'cockpit' even if it exists as a normal user account
User=cockpit-systemd-service
Group=cockpit-wsinstance-socket
NoNewPrivileges=yes
ProtectSystem=strict
PrivateDevices=yes
ProtectKernelTunables=yes
MemoryDenyWriteExecute=yes

# cockpit-tls speaks to the outside world via socket activation, and to cockpit-ws via Unix socket
PrivateIPC=yes
PrivateNetwork=yes
RestrictAddressFamilies=AF_UNIX