| # /usr/lib/systemd/system/php-fpm.service
|
| # It's not recommended to modify this file in-place, because it
|
| # will be overwritten during upgrades. If you want to customize,
|
| # the best way is to use the "systemctl edit" command.
|
|
|
| [Unit]
|
| Description=The PHP FastCGI Process Manager
|
| After=network.target
|
|
|
| [Service]
|
| Type=notify
|
| PIDFile=/run/php-fpm/php-fpm.pid
|
| ExecStart=/usr/bin/php-fpm --nodaemonize --fpm-config /etc/php/php-fpm.conf
|
| ExecReload=/bin/kill -USR2 $MAINPID
|
|
|
| # Set up a new file system namespace and mounts private /tmp and /var/tmp directories
|
| # so this service cannot access the global directories and other processes cannot
|
| # access this service's directories.
|
| PrivateTmp=true
|
|
|
| # Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
|
| ProtectSystem=full
|
|
|
| # Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
|
| # such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
|
| # but no physical devices such as /dev/sda.
|
| PrivateDevices=true
|
|
|
| # Explicit module loading will be denied. This allows to turn off module load and unload
|
| # operations on modular kernels. It is recommended to turn this on for most services that
|
| # do not need special file systems or extra kernel modules to work.
|
| ProtectKernelModules=true
|
|
|
| # Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
|
| # /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
|
| # of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
|
| # sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
|
| # recommended to turn this on for most services.
|
| ProtectKernelTunables=true
|
|
|
| # The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
|
| # made read-only to all processes of the unit. Except for container managers no services should
|
| # require write access to the control groups hierarchies; it is hence recommended to turn this on
|
| # for most services
|
| ProtectControlGroups=true
|
|
|
| # Any attempts to enable realtime scheduling in a process of the unit are refused.
|
| RestrictRealtime=true
|
|
|
| # Restricts the set of socket address families accessible to the processes of this unit.
|
| # Protects against vulnerabilities such as CVE-2016-8655
|
| RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
|
|
| # Takes away the ability to create or manage any kind of namespace
|
| RestrictNamespaces=true
|
|
|
| [Install]
|
| WantedBy=multi-user.target
|
|
|
| # /etc/systemd/system/php-fpm.service.d/nextcloud.conf
|
| [Service]
|
| # Your data directory
|
| ReadWritePaths=/var/lib/nextcloud/data
|
|
|
| # Optional: add if you've set the default apps directory to be writable in config.php
|
| # ReadWritePaths=/usr/share/webapps/nextcloud/apps
|
| ReadWritePaths=/var/lib/nextcloud/apps
|
|
|
| # Optional: unnecessary if you've set 'config_is_read_only' => true in your config.php
|
| ReadWritePaths=/usr/share/webapps/nextcloud/config
|
| ReadWritePaths=/etc/webapps/nextcloud/config
|
|
|
| # Optional: add if you want to use Nextcloud's internal update process
|
| # ReadWritePaths=/usr/share/webapps/nextcloud
|