[Unit]
Description=Apache with PHP 7.4
After=network.target remote-fs.target nss-lookup.target
BindsTo=chr-httpd74.target

[Service]
Type=forking
RootDirectory=/chroot/httpd74
RootDirectoryStartOnly=no

Environment=APACHE_STARTED_BY_SYSTEMD=true

ExecStart=/usr/sbin/apache2ctl-74 start
ExecStop=/usr/sbin/apache2ctl-74 stop
ExecReload=/usr/sbin/apache2ctl-74 graceful

Restart=on-abort

UMask=002

PrivateTmp=true
MountAPIVFS=true
NoNewPrivileges=true
PrivateDevices=true
DevicePolicy=closed
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=invisible
ProcSubset=pid
ProtectControlGroups=true
ProtectClock=true
ProtectHome=true
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
#RestrictNamespaces=uts ipc pid user cgroup
#RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
#MemoryDenyWriteExecute=yes
#LockPersonality=yes
#ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
ReadOnlyPaths=/chroot/httpd74
ReadWritePaths=/chroot/httpd74/web
ReadWritePaths=/chroot/httpd74/var/log/apache2
ReadWritePaths=/chroot/httpd74/run
InaccessiblePaths=/chroot/httpd74/boot /chroot/httpd74/sys /chroot/httpd74/proc

# run
BindPaths=/chroot/httpd74/run:/run:norbind
# log, systemd notify
BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind
# mysql
BindPaths=-/run/mysqld:/run/mysqld:norbind


[Install]
#WantedBy=multi-user.target
WantedBy=chr-httpd74.target