diff --git a/defaults/main.yml b/defaults/main.yml index 1a50e87..88892ed 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,15 +3,15 @@ local_munin_path: /data/munin nextcloud_admin_user: systemausfall.org nextcloud_admin_pw: admin -nextcloud_db_password: "{{ lookup('password', '/tmp/{{ instance.domain }}_db_pwd length=42 chars=ascii_letters,digits') }}" -nextcloud_munin_user_password: "{{ lookup('password', '/tmp/{{ instance.domain }}_munin_pwd length=42 chars=ascii_letters,digits') }}" +nextcloud_db_password: "{{ lookup('password', '/tmp/{{ instance.name }}_db_pwd length=42 chars=ascii_letters,digits') }}" +nextcloud_munin_user_password: "{{ lookup('password', '/tmp/{{ instance.name }}_munin_pwd length=42 chars=ascii_letters,digits') }}" nextcloud_dl_url: https://download.nextcloud.com/server/releases nextcloud_root: /data/nextcloud -nextcloud_install_path: "{{ nextcloud_root }}/{{ instance.domain }}" +nextcloud_install_path: "{{ nextcloud_root }}/{{ instance.name }}" nextcloud_config_file: "{{ nextcloud_install_path }}/config/config.php" nextcloud_php_memory_limit: 512M nextcloud_php_upload_limit: 512M -nextcloud_trusted_domains: ['localhost', '{{ instance.domain }}'] +nextcloud_trusted_domains: ['localhost', '{{ instance.name }}'] nextcloud_trusted_proxies: ['10.42.7.1'] nextcloud_version: nextcloud-22.2.0 nextcloud_mail_from: noreply @@ -20,4 +20,7 @@ nextcloud_smtp_auth_type: LOGIN nextcloud_smtp_host: sl-postbote.kahlo nextcloud_smtp_port: 25 +php_fpm_log_dir: /var/log/phpfpm +php_fpm_pool_dir: /etc/php/{{ php_version.stdout }}/fpm/pool.d + redis_config_file: /etc/redis/redis.conf diff --git a/files/apache_site.conf b/files/apache_site.conf index af4bdca..4346cf0 100644 --- a/files/apache_site.conf +++ b/files/apache_site.conf @@ -1,34 +1,41 @@ - - + ServerName $domain DocumentRoot /data/nextcloud/$domain/ Include /etc/apache2/conf-available/sao-cache.conf IncludeOptional /etc/apache2/conf-available/$domain.alias.conf - ProxyTimeout 900 - - SetHandler "proxy:unix:/run/php/php-fpm-$pool.sock|fcgi://$domain/" - - - - + + + SetHandler "proxy:unix:/run/php/php-fpm-$pool.sock|fcgi://$domain" + + + Require all denied + + + Require all denied + + + Require all denied + + + Require all denied + + - Require all granted - AllowOverride All - Options FollowSymLinks MultiViews - - Dav off - + Require all granted + AllowOverride All + Options FollowSymLinks MultiViews + + Dav off + - - - + # Includieren der Variablen Include /etc/apache2/conf-available/nextcloud_sites.conf -UndefMacro NCSite \ No newline at end of file +UndefMacro NCSite diff --git a/files/systemd/php-fpm@.socket b/files/systemd/php-fpm@.socket new file mode 100644 index 0000000..6b9313e --- /dev/null +++ b/files/systemd/php-fpm@.socket @@ -0,0 +1,11 @@ +[Unit] +After=network-online.target + +[Socket] +SocketUser=%i +SocketGroup=%i +SocketMode=0660 +ListenStream=/run/php/php-fpm-%i.sock + +[Install] +WantedBy=sockets.target diff --git a/handlers/main.yml b/handlers/main.yml index d2b2a55..f8bc152 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -15,12 +15,16 @@ state: reloaded delegate_to: "{{ gateway_host }}" -- name: restart phpfpm - service: - name: "php{{ php_version.stdout }}-fpm" - state: restarted - - name: restart munin-node service: name: munin-node - state: restarted \ No newline at end of file + state: restarted + +- name: stop php-fpm-socket + command: systemctl stop php-fpm@*.socket + +- name: stop php-fpm-service + command: systemctl stop php-fpm@*.service + +- name: start php-fpm-socket + command: systemctl start php-fpm@*.socket --all diff --git a/tasks/apache.yml b/tasks/apache.yml index 660dfe3..bb77ae4 100644 --- a/tasks/apache.yml +++ b/tasks/apache.yml @@ -1,14 +1,14 @@ --- -- name: "apache: {{ instance.domain }}: Seite einrichten" +- name: "apache: {{ instance.name }}: Seite einrichten" lineinfile: path: /etc/apache2/conf-available/nextcloud_sites.conf insertafter: "^Ansbile" - line: "Use NCSite {{ instance.domain }} {{ instance.user }}" + line: "Use NCSite {{ instance.name }} {{ instance.user }}" notify: reload apache - name: "apache: {{ instance.alias }}: Alias einrichten" template: src: apache_alias.j2 - dest: "/etc/apache2/conf-available/{{ instance.domain }}.alias.conf" + dest: "/etc/apache2/conf-available/{{ instance.name }}.alias.conf" notify: reload apache when: instance.alias is defined diff --git a/tasks/common.yml b/tasks/common.yml index d110f41..d2cc959 100644 --- a/tasks/common.yml +++ b/tasks/common.yml @@ -1,12 +1,14 @@ --- - name: "common | Apache-Module laden" apache2_module: - state: present - name: "{{ item }}" - with_items: - - macro - - proxy_fcgi - - setenvif + name: "{{ item.name }}" + state: "{{ item.state|default('present') }}" + loop: + - { name: macro } + - { name: mpm_prefork, state: absent } + - { name: mpm_event } + - { name: proxy_fcgi } + - { name: setenvif } notify: restart apache - name: "common | Apache-Vorlage für Seitenkonfiguration kopieren" @@ -21,6 +23,11 @@ state: link notify: reload apache +- name: common | Erstelle PHP-FPM-Log-Verzeichnis + file: + path: "{{ php_fpm_log_dir }}" + state: directory + - name: "common | Kopiere PHP-CLI-Konfiguration" copy: src: ../roles/nextcloud/files/30-sao-nextcloud.ini @@ -32,6 +39,33 @@ dest: "/etc/php/{{ php_version.stdout }}/cli/conf.d/30-sao-nextcloud.ini" state: link +- name: "common | Kopiere Template für systemd socket" + copy: + src: "../roles/nextcloud/files/systemd/php-fpm@.socket" + dest: /etc/systemd/system/php-fpm@.socket + notify: + - stop php-fpm-socket + - stop php-fpm-service + - start php-fpm-socket + +- name: "common | Kopiere Template für systemd service" + template: + src: ../roles/nextcloud/templates/systemd/php-fpm@.service.j2 + dest: /etc/systemd/system/php-fpm@.service + notify: + - stop php-fpm-socket + - stop php-fpm-service + - start php-fpm-socket + +- name: "common | Aktiviere systemd Socket und Service" + systemd: + name: "{{ item }}" + enabled: true + daemon_reload: true + loop: + - php-fpm@.socket + - php-fpm@.service + - name: "common | Kopiere Update-Skript" template: src: ../roles/nextcloud/templates/nextcloud-updater.j2 diff --git a/tasks/database.yml b/tasks/database.yml index 1c4e06d..173493a 100644 --- a/tasks/database.yml +++ b/tasks/database.yml @@ -1,5 +1,5 @@ --- -- name: "database: {{ instance.domain }}: Datenbank einrichten" +- name: "database | {{ instance.name }} | Datenbank einrichten" mysql_db: name: "{{ instance.database }}" state: present @@ -8,7 +8,7 @@ config_file: /etc/mysql/debian.cnf delegate_to: "{{ database_host }}" -- name: "database: {{ instance.domain }}: Benutzer einrichten" +- name: "database | {{ instance.name }} | Benutzer einrichten" mysql_user: name: "{{ instance.database }}" host: "{{ inventory_hostname }}" diff --git a/tasks/gateway.yml b/tasks/gateway.yml index 237844f..8359a85 100644 --- a/tasks/gateway.yml +++ b/tasks/gateway.yml @@ -1,13 +1,13 @@ --- -- name: "gateway: {{ instance.domain }}: Domain zur Zertifikatsliste hinzufügen" +- name: "gateway: {{ instance.name }}: Domain zur Zertifikatsliste hinzufügen" lineinfile: path: /etc/dehydrated/domains.txt insertafter: "^# nextcloud" - line: "{{ instance.domain }}" + line: "{{ instance.name }}" register: dehydrated delegate_to: "{{ gateway_host }}" -- name: "gateway: {{ instance.domain }}: Alias zur Zertifikatsliste hinzufügen" +- name: "gateway: {{ instance.name }}: Alias zur Zertifikatsliste hinzufügen" lineinfile: path: /etc/dehydrated/domains.txt insertafter: "^# nextcloud" @@ -17,24 +17,24 @@ delegate_to: "{{ gateway_host }}" loop: "{{ instance.alias }}" -- name: "gateway: {{ instance.domain }}: Zertifikat erstellen" +- name: "gateway: {{ instance.name }}: Zertifikat erstellen" command: dehydrated --cron -g delegate_to: "{{ gateway_host }}" when: dehydrated.changed -- name: "gateway: {{ instance.domain }}: Proxy einrichten" +- name: "gateway: {{ instance.name }}: Proxy einrichten" template: src: nginx_site.j2 - dest: "/etc/nginx/sites-available/{{ instance.domain }}" + dest: "/etc/nginx/sites-available/{{ instance.name }}" owner: root group: root mode: 0644 delegate_to: "{{ gateway_host }}" -- name: "gateway: {{ instance.domain }}: Seite aktivieren" +- name: "gateway: {{ instance.name }}: Seite aktivieren" file: - src: "/etc/nginx/sites-available/{{ instance.domain }}" - dest: "/etc/nginx/sites-enabled/{{ instance.domain }}" + src: "/etc/nginx/sites-available/{{ instance.name }}" + dest: "/etc/nginx/sites-enabled/{{ instance.name }}" state: link notify: reload nginx delegate_to: "{{ gateway_host }}" diff --git a/tasks/main.yml b/tasks/main.yml index fcba074..d8f1c65 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -8,6 +8,9 @@ - import_tasks: database.yml tags: database +- import_tasks: user.yml + tags: user + - import_tasks: php.yml tags: php @@ -23,4 +26,4 @@ tags: configuration - import_tasks: fixes.yml - tags: fixes \ No newline at end of file + tags: fixes diff --git a/tasks/nextcloud.yml b/tasks/nextcloud.yml index a0dd05b..b7bff04 100644 --- a/tasks/nextcloud.yml +++ b/tasks/nextcloud.yml @@ -1,11 +1,11 @@ --- -- name: "nextcloud: {{ instance.domain }}: Verzeichnis prüfen" +- name: "nextcloud: {{ instance.name }}: Verzeichnis prüfen" file: path: "{{ nextcloud_install_path }}" mode: 0755 state: directory -- name: "nextcloud: {{ instance.domain }}: herunterladen und entpacken" +- name: "nextcloud: {{ instance.name }}: herunterladen und entpacken" unarchive: src: "{{ nextcloud_dl_url }}/{{ nextcloud_version }}.tar.bz2" remote_src: true @@ -16,7 +16,7 @@ group: "{{ user }}" mode: 0755 -- name: "nextcloud: {{ instance.domain }}: Installation" +- name: "nextcloud: {{ instance.name }}: Installation" command: > php "{{ nextcloud_install_path }}"/occ maintenance:install --database "mysql" --database-name "{{ instance.database }}" --database-user "{{ instance.database }}" diff --git a/tasks/nextcloud_configuration.yml b/tasks/nextcloud_configuration.yml index 013ddea..38e00a1 100644 --- a/tasks/nextcloud_configuration.yml +++ b/tasks/nextcloud_configuration.yml @@ -1,5 +1,5 @@ --- -- name: "configuration: {{ instance.domain }}: trusted domains einrichten" +- name: "configuration: {{ instance.name }}: trusted domains einrichten" command: 'php {{ nextcloud_install_path }}/occ config:system:set trusted_domains {{ item.0 }} --value "{{ item.1 }}"' become: true become_user: "{{ instance.user }}" @@ -7,15 +7,15 @@ with_indexed_items: - '{{ nextcloud_trusted_domains }}' -- name: "configuration: {{ instance.domain }}: cron einrichten" +- name: "configuration: {{ instance.name }}: cron einrichten" cron: - name: "nextcloud {{ instance.domain }}" + name: "nextcloud {{ instance.name }}" minute: "*/5" user: "{{ instance.user }}" job: "php -f {{ nextcloud_install_path}}/cron.php" cron_file: "nextcloud" -- name: "configuration: {{ instance.domain }}: allgemeie Konfiguration" +- name: "configuration: {{ instance.name }}: allgemeie Konfiguration" command: "{{ item }}" become: true become_user: "{{ instance.user }}" @@ -24,14 +24,14 @@ - 'php {{ nextcloud_install_path }}/occ config:system:set memcache.local --value "\\OC\\Memcache\\APCu"' - 'php {{ nextcloud_install_path }}/occ config:system:set memcache.distributed --value "\OC\Memcache\Redis"' - "php {{ nextcloud_install_path }}/occ background:cron" - - 'php {{ nextcloud_install_path }}/occ config:system:set overwrite.cli.url --value https://{{ instance.domain }}' + - 'php {{ nextcloud_install_path }}/occ config:system:set overwrite.cli.url --value https://{{ instance.name }}' - 'php {{ nextcloud_install_path }}/occ config:system:set htaccess.RewriteBase --value /' - 'php {{ nextcloud_install_path }}/occ maintenance:update:htaccess' - 'php {{ nextcloud_install_path }}/occ config:system:set default_language --value "de"' - 'php {{ nextcloud_install_path }}/occ config:system:set default_phone_region --value "DE"' - 'php {{ nextcloud_install_path }}/occ config:system:set loglevel --value "1"' -- name: "configuration: {{ instance.domain }}: Mailversand einrichten" +- name: "configuration: {{ instance.name }}: Mailversand einrichten" blockinfile: path: "{{ nextcloud_config_file }}" insertbefore: '^\);' @@ -45,7 +45,7 @@ 'mail_smtphost' => '{{ nextcloud_smtp_host }}', 'mail_smtpport' => '{{ nextcloud_smtp_port}}', -- name: "configuration: {{ instance.domain }}: Filelocking" +- name: "configuration: {{ instance.name }}: Filelocking" blockinfile: path: "{{ nextcloud_config_file }}" insertbefore: '^\);' @@ -60,7 +60,7 @@ 'timeout' => 1.5, ), -- name: "configuration: {{ instance.domain }}: trusted proxies einrichten" +- name: "configuration: {{ instance.name }}: trusted proxies einrichten" command: 'php {{ nextcloud_install_path }}/occ config:system:set trusted_proxies {{ item.0 }} --value "{{ item.1 }}"' become: true become_user: "{{ instance.user }}" diff --git a/tasks/php.yml b/tasks/php.yml index 5a1f87f..58186b4 100644 --- a/tasks/php.yml +++ b/tasks/php.yml @@ -1,18 +1,32 @@ --- -- name: "php: {{ instance.domain }}: FPM-Nutzer anlegen" - user: - name: "{{ instance.user }}" - create_home: no - password: "!" - groups: redis - shell: /bin/false - state: present - -- name: "php: {{ instance.domain }}: FPM-Pool einrichten" +- name: "php | {{ instance.name }} | FPM-Pool kopieren" template: src: php_fpm_pool.j2 - dest: "/etc/php/{{ php_version.stdout }}/fpm/pool.d/{{ instance.user }}.conf" + dest: "/etc/php/{{ php_version.stdout }}/fpm/pool.d/{{ instance.user }}.cfg" owner: root group: root mode: 0644 - notify: restart phpfpm + notify: + - stop php-fpm-socket + - stop php-fpm-service + - start php-fpm-socket + +- name: "php | {{ instance.name }} | Erstelle Log-Datei" + file: + path: "{{ php_fpm_log_dir }}/{{ instance.user }}.log" + state: touch + owner: "{{ instance.user }}" + group: "{{ instance.user }}" + +- name: "php | {{ instance.name }} | Aktiviere systemd Socket" + systemd: + name: "php-fpm@{{ instance.user }}.socket" + enabled: true + state: started + daemon_reload: true + +- name: "php | {{ instance.name }} | Aktiviere systemd Service" + systemd: + name: "php-fpm@{{ instance.user }}.service" + enabled: true + daemon-reload: true diff --git a/tasks/redis.yml b/tasks/redis.yml index 6a07bf0..79fc465 100644 --- a/tasks/redis.yml +++ b/tasks/redis.yml @@ -13,7 +13,7 @@ - name: "redis: Ermittle Anzahl der NC-Instanzen" set_fact: - instances_number: "{{ instances | length }}" + instances_number: "{{ nextcloud_instances | length }}" - name: "redis: Konfiguriere Anzahl der Datenbanken" lineinfile: diff --git a/tasks/user.yml b/tasks/user.yml new file mode 100644 index 0000000..776fc29 --- /dev/null +++ b/tasks/user.yml @@ -0,0 +1,15 @@ +--- +- name: "user | {{ instance.name }} | Nextcloud-System-Nutzer anlegen" + user: + name: "{{ instance.user }}" + create_home: false + password_lock: true + groups: redis + shell: /bin/false + state: present + +- name: "user | {{ instance.name }} | Füge www-data zur Nextcloud-Nutzer-Gruppe hinzu" + user: + name: www-data + groups: "{{ instance.user }}" + append: true diff --git a/tasks/version.yml b/tasks/version.yml index 467d84d..1514682 100644 --- a/tasks/version.yml +++ b/tasks/version.yml @@ -1,12 +1,12 @@ --- -- name: "version: {{ instance.domain }}: Prüfe NC-Installation" +- name: "version: {{ instance.name }}: Prüfe NC-Installation" stat: path: "{{ nextcloud_install_path }}/version.php" register: nc_is_installed check_mode: false changed_when: false -- name: "version: {{ instance.domain }}: Prüfe NC-Version" +- name: "version: {{ instance.name }}: Prüfe NC-Version" shell: cmd: php ./occ -V | awk '{print $NF}' chdir: "{{ nextcloud_install_path }}" diff --git a/templates/apache_alias.j2 b/templates/apache_alias.j2 index c530bec..de29cb8 100644 --- a/templates/apache_alias.j2 +++ b/templates/apache_alias.j2 @@ -1,5 +1,5 @@ {% if instance.alias is defined %} - {% for alias in instance.alias %} +{% for alias in instance.alias %} ServerAlias {{ alias }} - {% endfor %} +{% endfor %} {% endif %} diff --git a/templates/nginx_site.j2 b/templates/nginx_site.j2 index 7f42fac..e262e6e 100644 --- a/templates/nginx_site.j2 +++ b/templates/nginx_site.j2 @@ -1,6 +1,6 @@ server { listen 80; - server_name {{ instance.domain }}; + server_name {{ instance.name }}; {% if instance.alias is defined %} {% for alias in instance.alias %} server_name {{ alias }}; @@ -12,9 +12,9 @@ server { server { listen 443 ssl http2; - server_name {{ instance.domain }}; - ssl_certificate /var/lib/dehydrated/certs/{{ instance.domain }}/fullchain.pem; - ssl_certificate_key /var/lib/dehydrated/certs/{{ instance.domain }}/privkey.pem; + server_name {{ instance.name }}; + ssl_certificate /var/lib/dehydrated/certs/{{ instance.name }}/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/{{ instance.name }}/privkey.pem; include /etc/nginx/proxy_params; add_header Referrer-Policy $referrerpolicy; add_header Strict-Transport-Security $sts; diff --git a/templates/php_fpm_pool.j2 b/templates/php_fpm_pool.j2 index d8d7bd7..6be8298 100644 --- a/templates/php_fpm_pool.j2 +++ b/templates/php_fpm_pool.j2 @@ -1,40 +1,32 @@ +[global] +error_log = ${FPM_ERROR_LOG} + [{{ instance.user }}] -;prefix = /path/to/pools/$pool -user = $pool -group = $pool -listen = /run/php/php-fpm-$pool.sock -listen.owner = $pool -listen.group = www-data -listen.mode = 0660 -listen.allowed_clients = 127.0.0.1 +listen = ${FPM_SOCKET_PATH} pm = dynamic pm.max_children = 60 pm.start_servers = 10 pm.min_spare_servers = 10 pm.max_spare_servers = 30 -pm.process_idle_timeout = 10s; -pm.max_requests = 100 +pm.process_idle_timeout = 10s +pm.max_requests = 200 pm.status_path = /status chdir = / clear_env = no security.limit_extensions = .php .php3 .php4 .php5 -env[HOSTNAME] = $HOSTNAME -env[PATH] = /usr/local/bin:/usr/bin:/bin -env[TMP] = /tmp -env[TMPDIR] = /tmp -env[TEMP] = /tmp -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -;php_flag[display_errors] = off -;php_admin_value[error_log] = /var/log/fpm-php.www.log -;php_admin_flag[log_errors] = on -php_admin_value[memory_limit] = {{ nextcloud_php_memory_limit }} -php_admin_value[upload_max_filesize] = {{ nextcloud_php_upload_limit }} -php_admin_value[post_max_size] = {{ nextcloud_php_upload_limit }} -php_admin_value[opcache.enable] = 1 +php_admin_value[opcache.validate_permission] = 1 +php_admin_value[opcache.validate_root] = 1 php_admin_value[opcache.interned_strings_buffer] = 8 php_admin_value[opcache.max_accelerated_files] = 10000 php_admin_value[opcache.memory_consumption] = 128 php_admin_value[opcache.save_comments] = 1 php_admin_value[opcache.revalidate_freq] = 1 +php_admin_value[session.cookie_samesite] = Lax +php_admin_value[openssl.capath] = /etc/ssl/certs +php_flag[display_errors] = off +php_admin_flag[log_errors] = on +php_admin_value[memory_limit] = {{ nextcloud_php_memory_limit }} +php_admin_value[upload_max_filesize] = {{ nextcloud_php_upload_limit }} +php_admin_value[post_max_size] = {{ nextcloud_php_upload_limit }} php_admin_value[open_basedir] = {{ nextcloud_install_path }}:/tmp:/dev/urandom:/proc/meminfo:/var/log:/sys/class/net/eth0:/sys/class/net/lo ;php_admin_value[disable_functions] = mail,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_exec,passthru,system,proc_get_status,proc_close,proc_nice,proc_terminate,proc_open,curl_ini,parse_ini_file,show_source,dl,symlink,system_exec,exec,shell_exec,phpinfo diff --git a/templates/systemd/php-fpm@.service.j2 b/templates/systemd/php-fpm@.service.j2 new file mode 100644 index 0000000..d972c55 --- /dev/null +++ b/templates/systemd/php-fpm@.service.j2 @@ -0,0 +1,43 @@ +# {{ ansible_managed }} +# +# This service can be enabled for Wordpress site. +# It uses a single php-fpm configuration file. +# User-specific settings can be overridden via environment variables (see "FPM_SOCKET_PATH" below). + +[Unit] +Description=The PHP FastCGI Process Manager for %I +Documentation=man:php-fpm{{ php_version.stdout }}(8) +After=network.target +Requires=php-fpm@%i.socket + +[Service] +User=%i +Group=%i +Type=notify +Environment="FPM_SOCKETS=/run/php/php-fpm-%i.sock=3" +Environment="FPM_ERROR_LOG={{ php_fpm_log_dir }}/%i.log" +# this variable is used in the pool configuration file +Environment="FPM_SOCKET_PATH=/run/php/php-fpm-%i.sock" +ExecStart=/usr/sbin/php-fpm{{ php_version.stdout }} --nodaemonize --fpm-config {{ php_fpm_pool_dir }}/%i.cfg +ExecReload=/bin/kill -USR2 $MAINPID +KillMode=process +Restart=on-failure +RestartSec=30s + +# Hardening +# https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in +PrivateDevices=true +PrivateTmp=true +ProtectClock=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full +RestrictRealtime=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictNamespaces=true +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM + +[Install] +WantedBy=multi-user.target