You do this by creating a drop in systemd unit to modify the existing Docker systemd unit.
Create the file custom.conf in /etc/systemd/system/docker.service.d/:
If you want to restrict local users from using the docker unix socket remove the second -H command line option, if you already have a custom drop in unit you can add the -H and –tls* arguments to it.
[Service]
Environment="DOCKER_OPTS=-H=0.0.0.0:2376 -H unix:///var/run/docker.sock --tlsverify --tlscacert=/etc/docker/ssl/ca.pem --tlscert=/etc/docker/ssl/cert.pem --tlskey=/etc/docker/ssl/key.pem"
Reload systemd and the Docker service:
$ sudo systemctl daemon-reload
$ sudo systemctl restart docker