nextcloud: Eigener PHP-FPM-Master pro Nextcloud-Instanz

defaults/main.yml

@@ -3,15 +3,15 @@ local_munin_path: /data/munin
 
 nextcloud_admin_user: systemausfall.org
 nextcloud_admin_pw: admin
-nextcloud_db_password: "{{ lookup('password', '/tmp/{{ instance.domain }}_db_pwd length=42 chars=ascii_letters,digits') }}"
+nextcloud_db_password: "{{ lookup('password', '/tmp/{{ instance.name }}_db_pwd length=42 chars=ascii_letters,digits') }}"
-nextcloud_munin_user_password: "{{ lookup('password', '/tmp/{{ instance.domain }}_munin_pwd length=42 chars=ascii_letters,digits') }}"
+nextcloud_munin_user_password: "{{ lookup('password', '/tmp/{{ instance.name }}_munin_pwd length=42 chars=ascii_letters,digits') }}"
 nextcloud_dl_url: https://download.nextcloud.com/server/releases
 nextcloud_root: /data/nextcloud
-nextcloud_install_path: "{{ nextcloud_root }}/{{ instance.domain }}"
+nextcloud_install_path: "{{ nextcloud_root }}/{{ instance.name }}"
 nextcloud_config_file: "{{ nextcloud_install_path }}/config/config.php"
 nextcloud_php_memory_limit: 512M
 nextcloud_php_upload_limit: 512M
-nextcloud_trusted_domains: ['localhost', '{{ instance.domain }}']
+nextcloud_trusted_domains: ['localhost', '{{ instance.name }}']
 nextcloud_trusted_proxies: ['10.42.7.1']
 nextcloud_version: nextcloud-22.2.0
 nextcloud_mail_from: noreply
@@ -20,4 +20,7 @@ nextcloud_smtp_auth_type: LOGIN
 nextcloud_smtp_host: sl-postbote.kahlo
 nextcloud_smtp_port: 25
 
+php_fpm_log_dir: /var/log/phpfpm
+php_fpm_pool_dir: /etc/php/{{ php_version.stdout }}/fpm/pool.d
+
 redis_config_file: /etc/redis/redis.conf

files/apache_site.conf

@@ -1,34 +1,41 @@
 <Macro NCSite $domain $pool>
-<VirtualHost *:80>
+    <VirtualHost *:80>
-
         ServerName $domain
         DocumentRoot /data/nextcloud/$domain/
         Include /etc/apache2/conf-available/sao-cache.conf
         IncludeOptional /etc/apache2/conf-available/$domain.alias.conf
-
         ProxyTimeout 900
 
-        <FilesMatch \.php$>
+        <IfModule proxy_fcgi_module>
-                SetHandler "proxy:unix:/run/php/php-fpm-$pool.sock|fcgi://$domain/"
+            <FilesMatch ".+\.ph(ar|p|tml)$">
-        </FilesMatch>
+                SetHandler "proxy:unix:/run/php/php-fpm-$pool.sock|fcgi://$domain"
-
+            </FilesMatch>
-        <Proxy "fcgi://$domain/">
+            <FilesMatch ".+\.phps$">
-        </Proxy>
+                Require all denied
+            </FilesMatch>
+            <FilesMatch "^\.ph(ar|p|ps|tml)$">
+                Require all denied
+            </FilesMatch>
+            <Files xmlrpc.php>
+                Require all denied
+            </Files>
+            <Files wp-config.php>
+                Require all denied
+            </Files>
+        </IfModule>
 
         <Directory /data/nextcloud/$domain/>
-                Require all granted
+            Require all granted
-                AllowOverride All
+            AllowOverride All
-                Options FollowSymLinks MultiViews
+            Options FollowSymLinks MultiViews
-                <IfModule mod_dav.c>
+            <IfModule mod_dav.c>
-                        Dav off
+                Dav off
-                </IfModule>
+            </IfModule>
         </Directory>
-
+    </VirtualHost>
-</VirtualHost>
-
 </Macro>
 
 # Includieren der Variablen
 Include /etc/apache2/conf-available/nextcloud_sites.conf
 
-UndefMacro NCSite
+UndefMacro NCSite

files/systemd/php-fpm@.socket

@@ -0,0 +1,11 @@
+[Unit]
+After=network-online.target
+
+[Socket]
+SocketUser=%i
+SocketGroup=%i
+SocketMode=0660
+ListenStream=/run/php/php-fpm-%i.sock
+
+[Install]
+WantedBy=sockets.target

handlers/main.yml

@@ -15,12 +15,16 @@
     state: reloaded
   delegate_to: "{{ gateway_host }}"
 
-- name: restart phpfpm
-  service:
-    name: "php{{ php_version.stdout }}-fpm"
-    state: restarted
-
 - name: restart munin-node
   service:
     name: munin-node
-    state: restarted
+    state: restarted
+
+- name: stop php-fpm-socket
+  command: systemctl stop php-fpm@*.socket
+
+- name: stop php-fpm-service
+  command: systemctl stop php-fpm@*.service
+
+- name: start php-fpm-socket
+  command: systemctl start php-fpm@*.socket --all

tasks/apache.yml

@@ -1,14 +1,14 @@
 ---
-- name: "apache: {{ instance.domain }}: Seite einrichten"
+- name: "apache: {{ instance.name }}: Seite einrichten"
   lineinfile:
     path: /etc/apache2/conf-available/nextcloud_sites.conf
     insertafter: "^Ansbile"
-    line: "Use NCSite {{ instance.domain }} {{ instance.user }}"
+    line: "Use NCSite {{ instance.name }} {{ instance.user }}"
   notify: reload apache
 
 - name: "apache: {{ instance.alias }}: Alias einrichten"
   template:
     src: apache_alias.j2
-    dest: "/etc/apache2/conf-available/{{ instance.domain }}.alias.conf"
+    dest: "/etc/apache2/conf-available/{{ instance.name }}.alias.conf"
   notify: reload apache
   when: instance.alias is defined

tasks/common.yml

@@ -1,12 +1,14 @@
 ---
 - name: "common | Apache-Module laden"
   apache2_module:
-    state: present
+    name: "{{ item.name }}"
-    name: "{{ item }}"
+    state: "{{ item.state|default('present') }}"
-  with_items:
+  loop:
-    - macro
+    - { name: macro }
-    - proxy_fcgi
+    - { name: mpm_prefork, state: absent }
-    - setenvif
+    - { name: mpm_event }
+    - { name: proxy_fcgi }
+    - { name: setenvif }
   notify: restart apache
 
 - name: "common | Apache-Vorlage für Seitenkonfiguration kopieren"
@@ -21,6 +23,11 @@
     state: link
   notify: reload apache
 
+- name: common | Erstelle PHP-FPM-Log-Verzeichnis
+  file:
+    path: "{{ php_fpm_log_dir }}"
+    state: directory
+
 - name: "common | Kopiere PHP-CLI-Konfiguration"
   copy:
     src: ../roles/nextcloud/files/30-sao-nextcloud.ini
@@ -32,6 +39,33 @@
     dest: "/etc/php/{{ php_version.stdout }}/cli/conf.d/30-sao-nextcloud.ini"
     state: link
 
+- name: "common | Kopiere Template für systemd socket"
+  copy:
+    src: "../roles/nextcloud/files/systemd/php-fpm@.socket"
+    dest: /etc/systemd/system/php-fpm@.socket
+  notify:
+    - stop php-fpm-socket
+    - stop php-fpm-service
+    - start php-fpm-socket
+
+- name: "common | Kopiere Template für systemd service"
+  template:
+    src: ../roles/nextcloud/templates/systemd/php-fpm@.service.j2
+    dest: /etc/systemd/system/php-fpm@.service
+  notify:
+    - stop php-fpm-socket
+    - stop php-fpm-service
+    - start php-fpm-socket
+
+- name: "common | Aktiviere systemd Socket und Service"
+  systemd:
+    name: "{{ item }}"
+    enabled: true
+    daemon_reload: true
+  loop:
+    - php-fpm@.socket
+    - php-fpm@.service
+
 - name: "common | Kopiere Update-Skript"
   template:
     src: ../roles/nextcloud/templates/nextcloud-updater.j2

tasks/database.yml

@@ -1,5 +1,5 @@
 ---
-- name: "database: {{ instance.domain }}: Datenbank einrichten"
+- name: "database | {{ instance.name }} | Datenbank einrichten"
   mysql_db:
     name: "{{ instance.database }}"
     state: present
@@ -8,7 +8,7 @@
     config_file: /etc/mysql/debian.cnf
   delegate_to: "{{ database_host }}"
 
-- name: "database: {{ instance.domain }}: Benutzer einrichten"
+- name: "database | {{ instance.name }} | Benutzer einrichten"
   mysql_user:
     name: "{{ instance.database }}"
     host: "{{ inventory_hostname }}"

tasks/gateway.yml

@@ -1,13 +1,13 @@
 ---
-- name: "gateway: {{ instance.domain }}: Domain zur Zertifikatsliste hinzufügen"
+- name: "gateway: {{ instance.name }}: Domain zur Zertifikatsliste hinzufügen"
   lineinfile:
     path: /etc/dehydrated/domains.txt
     insertafter: "^# nextcloud"
-    line: "{{ instance.domain }}"
+    line: "{{ instance.name }}"
   register: dehydrated
   delegate_to: "{{ gateway_host }}"
 
-- name: "gateway: {{ instance.domain }}: Alias zur Zertifikatsliste hinzufügen"
+- name: "gateway: {{ instance.name }}: Alias zur Zertifikatsliste hinzufügen"
   lineinfile:
     path: /etc/dehydrated/domains.txt
     insertafter: "^# nextcloud"
@@ -17,24 +17,24 @@
   delegate_to: "{{ gateway_host }}"
   loop: "{{ instance.alias }}"
 
-- name: "gateway: {{ instance.domain }}: Zertifikat erstellen"
+- name: "gateway: {{ instance.name }}: Zertifikat erstellen"
   command: dehydrated --cron -g
   delegate_to: "{{ gateway_host }}"
   when: dehydrated.changed
 
-- name: "gateway: {{ instance.domain }}: Proxy einrichten"
+- name: "gateway: {{ instance.name }}: Proxy einrichten"
   template:
     src: nginx_site.j2
-    dest: "/etc/nginx/sites-available/{{ instance.domain }}"
+    dest: "/etc/nginx/sites-available/{{ instance.name }}"
     owner: root
     group: root
     mode: 0644
   delegate_to: "{{ gateway_host }}"
 
-- name: "gateway: {{ instance.domain }}: Seite aktivieren"
+- name: "gateway: {{ instance.name }}: Seite aktivieren"
   file:
-    src: "/etc/nginx/sites-available/{{ instance.domain }}"
+    src: "/etc/nginx/sites-available/{{ instance.name }}"
-    dest: "/etc/nginx/sites-enabled/{{ instance.domain }}"
+    dest: "/etc/nginx/sites-enabled/{{ instance.name }}"
     state: link
   notify: reload nginx
   delegate_to: "{{ gateway_host }}"

tasks/main.yml

@@ -8,6 +8,9 @@
 - import_tasks: database.yml
   tags: database
 
+- import_tasks: user.yml
+  tags: user
+
 - import_tasks: php.yml
   tags: php
 
@@ -23,4 +26,4 @@
   tags: configuration
 
 - import_tasks: fixes.yml
-  tags: fixes
+  tags: fixes

tasks/nextcloud.yml

@@ -1,11 +1,11 @@
 ---
-- name: "nextcloud: {{ instance.domain }}: Verzeichnis prüfen"
+- name: "nextcloud: {{ instance.name }}: Verzeichnis prüfen"
   file:
     path: "{{ nextcloud_install_path }}"
     mode: 0755
     state: directory
 
-- name: "nextcloud: {{ instance.domain }}: herunterladen und entpacken"
+- name: "nextcloud: {{ instance.name }}: herunterladen und entpacken"
   unarchive:
     src: "{{ nextcloud_dl_url }}/{{ nextcloud_version }}.tar.bz2"
     remote_src: true
@@ -16,7 +16,7 @@
     group: "{{ user }}"
     mode: 0755
 
-- name: "nextcloud: {{ instance.domain }}: Installation"
+- name: "nextcloud: {{ instance.name }}: Installation"
   command: >
     php "{{ nextcloud_install_path }}"/occ maintenance:install --database "mysql"
     --database-name "{{ instance.database }}" --database-user "{{ instance.database }}"

tasks/nextcloud_configuration.yml

@@ -1,5 +1,5 @@
 ---
-- name: "configuration: {{ instance.domain }}: trusted domains einrichten"
+- name: "configuration: {{ instance.name }}: trusted domains einrichten"
   command: 'php {{ nextcloud_install_path }}/occ config:system:set trusted_domains {{ item.0 }} --value "{{ item.1 }}"'
   become: true
   become_user: "{{ instance.user }}"
@@ -7,15 +7,15 @@
   with_indexed_items:
     - '{{ nextcloud_trusted_domains  }}'
 
-- name: "configuration: {{ instance.domain }}: cron einrichten"
+- name: "configuration: {{ instance.name }}: cron einrichten"
   cron:
-    name: "nextcloud {{ instance.domain }}"
+    name: "nextcloud {{ instance.name }}"
     minute: "*/5"
     user: "{{ instance.user }}"
     job: "php -f {{ nextcloud_install_path}}/cron.php"
     cron_file: "nextcloud"
 
-- name: "configuration: {{ instance.domain }}: allgemeie Konfiguration"
+- name: "configuration: {{ instance.name }}: allgemeie Konfiguration"
   command: "{{ item }}"
   become: true
   become_user: "{{ instance.user }}"
@@ -24,14 +24,14 @@
     - 'php {{ nextcloud_install_path }}/occ config:system:set memcache.local --value "\\OC\\Memcache\\APCu"'
     - 'php {{ nextcloud_install_path }}/occ config:system:set memcache.distributed --value "\OC\Memcache\Redis"'
     - "php {{ nextcloud_install_path }}/occ background:cron"
-    - 'php {{ nextcloud_install_path }}/occ config:system:set overwrite.cli.url --value https://{{ instance.domain }}'
+    - 'php {{ nextcloud_install_path }}/occ config:system:set overwrite.cli.url --value https://{{ instance.name }}'
     - 'php {{ nextcloud_install_path }}/occ config:system:set htaccess.RewriteBase --value /'
     - 'php {{ nextcloud_install_path }}/occ maintenance:update:htaccess'
     - 'php {{ nextcloud_install_path }}/occ config:system:set default_language --value "de"'
     - 'php {{ nextcloud_install_path }}/occ config:system:set default_phone_region --value "DE"'
     - 'php {{ nextcloud_install_path }}/occ config:system:set loglevel --value "1"'
 
-- name: "configuration: {{ instance.domain }}: Mailversand einrichten"
+- name: "configuration: {{ instance.name }}: Mailversand einrichten"
   blockinfile:
     path: "{{ nextcloud_config_file }}"
     insertbefore: '^\);'
@@ -45,7 +45,7 @@
         'mail_smtphost' => '{{ nextcloud_smtp_host }}',
         'mail_smtpport' => '{{ nextcloud_smtp_port}}',
 
-- name: "configuration: {{ instance.domain }}: Filelocking"
+- name: "configuration: {{ instance.name }}: Filelocking"
   blockinfile:
     path: "{{ nextcloud_config_file }}"
     insertbefore: '^\);'
@@ -60,7 +60,7 @@
              'timeout' => 1.5,
         ),
 
-- name: "configuration: {{ instance.domain }}: trusted proxies einrichten"
+- name: "configuration: {{ instance.name }}: trusted proxies einrichten"
   command: 'php {{ nextcloud_install_path }}/occ config:system:set trusted_proxies {{ item.0 }} --value "{{ item.1 }}"'
   become: true
   become_user: "{{ instance.user }}"

tasks/php.yml

@@ -1,18 +1,32 @@
 ---
-- name: "php: {{ instance.domain }}: FPM-Nutzer anlegen"
+- name: "php | {{ instance.name }} | FPM-Pool kopieren"
-  user:
-    name: "{{ instance.user }}"
-    create_home: no
-    password: "!"
-    groups: redis
-    shell: /bin/false
-    state: present
-
-- name: "php: {{ instance.domain }}: FPM-Pool einrichten"
   template:
     src: php_fpm_pool.j2
-    dest: "/etc/php/{{ php_version.stdout }}/fpm/pool.d/{{ instance.user }}.conf"
+    dest: "/etc/php/{{ php_version.stdout }}/fpm/pool.d/{{ instance.user }}.cfg"
     owner: root
     group: root
     mode: 0644
-  notify: restart phpfpm
+  notify:
+    - stop php-fpm-socket
+    - stop php-fpm-service
+    - start php-fpm-socket
+
+- name: "php | {{ instance.name }} | Erstelle Log-Datei"
+  file:
+    path: "{{ php_fpm_log_dir }}/{{ instance.user }}.log"
+    state: touch
+    owner: "{{ instance.user }}"
+    group: "{{ instance.user }}"
+
+- name: "php | {{ instance.name }} | Aktiviere systemd Socket"
+  systemd:
+    name: "php-fpm@{{ instance.user }}.socket"
+    enabled: true
+    state: started
+    daemon_reload: true
+
+- name: "php | {{ instance.name }} | Aktiviere systemd Service"
+  systemd:
+    name: "php-fpm@{{ instance.user }}.service"
+    enabled: true
+    daemon-reload: true

tasks/redis.yml

@@ -13,7 +13,7 @@
 
 - name: "redis: Ermittle Anzahl der NC-Instanzen"
   set_fact:
-    instances_number: "{{ instances | length }}"
+    instances_number: "{{ nextcloud_instances | length }}"
 
 - name: "redis: Konfiguriere Anzahl der Datenbanken"
   lineinfile:

tasks/user.yml

@@ -0,0 +1,15 @@
+---
+- name: "user | {{ instance.name }} | Nextcloud-System-Nutzer anlegen"
+  user:
+    name: "{{ instance.user }}"
+    create_home: false
+    password_lock: true
+    groups: redis
+    shell: /bin/false
+    state: present
+
+- name: "user | {{ instance.name }} | Füge www-data zur Nextcloud-Nutzer-Gruppe hinzu"
+  user:
+    name: www-data
+    groups: "{{ instance.user }}"
+    append: true

tasks/version.yml

@@ -1,12 +1,12 @@
 ---
-- name: "version: {{ instance.domain }}: Prüfe NC-Installation"
+- name: "version: {{ instance.name }}: Prüfe NC-Installation"
   stat:
     path: "{{ nextcloud_install_path }}/version.php"
   register: nc_is_installed
   check_mode: false
   changed_when: false
 
-- name: "version: {{ instance.domain }}: Prüfe NC-Version"
+- name: "version: {{ instance.name }}: Prüfe NC-Version"
   shell:
     cmd: php ./occ -V | awk '{print $NF}'
     chdir: "{{ nextcloud_install_path }}"

templates/apache_alias.j2

@@ -1,5 +1,5 @@
 {% if instance.alias is defined %}
-  {% for alias in instance.alias %}
+{% for alias in instance.alias %}
 ServerAlias {{ alias }}
-  {% endfor %}
+{% endfor %}
 {% endif %}

templates/nginx_site.j2

@@ -1,6 +1,6 @@
 server {
         listen 80;
-	server_name {{ instance.domain }};
+	server_name {{ instance.name }};
 {% if instance.alias is defined %}
   {% for alias in instance.alias %}
 	server_name {{ alias }};
@@ -12,9 +12,9 @@ server {
 
 server {
 	listen 443 ssl http2;
-        server_name {{ instance.domain }};
+        server_name {{ instance.name }};
-        ssl_certificate /var/lib/dehydrated/certs/{{ instance.domain }}/fullchain.pem;
+        ssl_certificate /var/lib/dehydrated/certs/{{ instance.name }}/fullchain.pem;
-        ssl_certificate_key /var/lib/dehydrated/certs/{{ instance.domain }}/privkey.pem;
+        ssl_certificate_key /var/lib/dehydrated/certs/{{ instance.name }}/privkey.pem;
         include /etc/nginx/proxy_params;
         add_header Referrer-Policy $referrerpolicy;
         add_header Strict-Transport-Security $sts;

templates/php_fpm_pool.j2

@@ -1,40 +1,32 @@
+[global]
+error_log = ${FPM_ERROR_LOG}
+
 [{{ instance.user }}]
-;prefix = /path/to/pools/$pool
+listen = ${FPM_SOCKET_PATH}
-user = $pool
-group = $pool
-listen = /run/php/php-fpm-$pool.sock
-listen.owner =  $pool
-listen.group = www-data
-listen.mode = 0660
-listen.allowed_clients = 127.0.0.1
 pm = dynamic
 pm.max_children = 60
 pm.start_servers = 10
 pm.min_spare_servers = 10
 pm.max_spare_servers = 30
-pm.process_idle_timeout = 10s;
+pm.process_idle_timeout = 10s
-pm.max_requests = 100
+pm.max_requests = 200
 pm.status_path = /status
 chdir = /
 clear_env = no
 security.limit_extensions = .php .php3 .php4 .php5
-env[HOSTNAME] = $HOSTNAME
+php_admin_value[opcache.validate_permission] = 1
-env[PATH] = /usr/local/bin:/usr/bin:/bin
+php_admin_value[opcache.validate_root] = 1
-env[TMP] = /tmp
-env[TMPDIR] = /tmp
-env[TEMP] = /tmp
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
-;php_flag[display_errors] = off
-;php_admin_value[error_log] = /var/log/fpm-php.www.log
-;php_admin_flag[log_errors] = on
-php_admin_value[memory_limit] = {{ nextcloud_php_memory_limit }}
-php_admin_value[upload_max_filesize] = {{ nextcloud_php_upload_limit }}
-php_admin_value[post_max_size] = {{ nextcloud_php_upload_limit }}
-php_admin_value[opcache.enable] = 1
 php_admin_value[opcache.interned_strings_buffer] = 8
 php_admin_value[opcache.max_accelerated_files] = 10000
 php_admin_value[opcache.memory_consumption] = 128
 php_admin_value[opcache.save_comments] = 1
 php_admin_value[opcache.revalidate_freq] = 1
+php_admin_value[session.cookie_samesite] = Lax
+php_admin_value[openssl.capath] = /etc/ssl/certs
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[memory_limit] = {{ nextcloud_php_memory_limit }}
+php_admin_value[upload_max_filesize] = {{ nextcloud_php_upload_limit }}
+php_admin_value[post_max_size] = {{ nextcloud_php_upload_limit }}
 php_admin_value[open_basedir] = {{ nextcloud_install_path }}:/tmp:/dev/urandom:/proc/meminfo:/var/log:/sys/class/net/eth0:/sys/class/net/lo
 ;php_admin_value[disable_functions] = mail,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_exec,passthru,system,proc_get_status,proc_close,proc_nice,proc_terminate,proc_open,curl_ini,parse_ini_file,show_source,dl,symlink,system_exec,exec,shell_exec,phpinfo

templates/systemd/php-fpm@.service.j2

@@ -0,0 +1,43 @@
+# {{ ansible_managed }}
+#
+# This service can be enabled for Wordpress site.
+# It uses a single php-fpm configuration file.
+# User-specific settings can be overridden via environment variables (see "FPM_SOCKET_PATH" below).
+
+[Unit]
+Description=The PHP FastCGI Process Manager for %I
+Documentation=man:php-fpm{{ php_version.stdout }}(8)
+After=network.target
+Requires=php-fpm@%i.socket
+
+[Service]
+User=%i
+Group=%i
+Type=notify
+Environment="FPM_SOCKETS=/run/php/php-fpm-%i.sock=3"
+Environment="FPM_ERROR_LOG={{ php_fpm_log_dir }}/%i.log"
+# this variable is used in the pool configuration file
+Environment="FPM_SOCKET_PATH=/run/php/php-fpm-%i.sock"
+ExecStart=/usr/sbin/php-fpm{{ php_version.stdout }} --nodaemonize --fpm-config {{ php_fpm_pool_dir }}/%i.cfg
+ExecReload=/bin/kill -USR2 $MAINPID
+KillMode=process
+Restart=on-failure
+RestartSec=30s
+
+# Hardening
+# https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in
+PrivateDevices=true
+PrivateTmp=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RestrictRealtime=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=true
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+[Install]
+WantedBy=multi-user.target