[Unit]
Description=Socket for Cockpit Web Service https instance %I
Documentation=man:cockpit-ws(8)
BindsTo=cockpit.service
# clean up the socket after the service exits, to prevent fd leak
# this also effectively prevents a DoS by starting arbitrarily many sockets, as
# the services are resource-limited by system-cockpithttps.slice
BindsTo=cockpit-wsinstance-https@%i.service
# ensure our DynamicUser exists
Requires=cockpit-ws-user.service
After=cockpit-ws-user.service

[Socket]
ListenStream=/run/cockpit/wsinstance/https@%i.sock
SocketUser=cockpit-ws
SocketMode=0600
RemoveOnStop=yes