[Unit]
Description=Admin Apache
After=network.target local-fs.target remote-fs.target nss-lookup.target mariadb-admin.service
PartOf=chr-admin.target

[Service]
Type=simple
RootDirectory=/chroot/admin
RootDirectoryStartOnly=no

Environment=APACHE_STARTED_BY_SYSTEMD=true

Environment=APACHE_RUN_USER=www-data
Environment=APACHE_RUN_GROUP=www-data
Environment=APACHE_PID_FILE=/run/apache2/apache2.pid
Environment=APACHE_RUN_DIR=/run/apache2
Environment=APACHE_LOCK_DIR=/run/lock/apache2
Environment=APACHE_LOG_DIR=/var/log/apache2
Environment=LANG=C
Environment=LANGUAGE=C
Environment=LC_ALL=C

ExecStartPre=/usr/bin/install -d -o www-data -g www-data -m 0755 /run/lock/apache2
ExecStartPre=/usr/sbin/apache2-admin -t

ExecStart=/usr/sbin/apache2-admin -DFOREGROUND
ExecReload=/usr/sbin/apache2-admin -k graceful
ExecStop=/usr/sbin/apache2-admin -k stop

Restart=on-abort

UMask=002


PrivateTmp=true
MountAPIVFS=true
NoNewPrivileges=true
PrivateDevices=true
DevicePolicy=closed
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=invisible
ProcSubset=pid
ProtectControlGroups=true
ProtectClock=true
ProtectHome=true
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
#RestrictNamespaces=uts ipc pid user cgroup
#RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
#MemoryDenyWriteExecute=yes
#LockPersonality=yes
#ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
ReadOnlyPaths=/chroot/admin
ReadWritePaths=/chroot/admin/web
ReadWritePaths=/chroot/admin/var/log/apache2
ReadWritePaths=/chroot/admin/run
InaccessiblePaths=/chroot/admin/boot /chroot/admin/sys /chroot/admin/proc

# run
BindPaths=/chroot/admin/run:/run:norbind
# log, systemd notify
BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind
# Apache log
BindPaths=/srv/log/apache2-admin:/var/log/apache2:norbind
# admin mysql
BindPaths=-/run/mysqld-admin:/run/mysqld:norbind
# mysql (root)
BindPaths=-/run/mysqld:/run/mysqld-root:norbind
# sys-ssl
BindPaths=-/etc/ssl/sys:/etc/ssl/sys:norbind

# munin stat
BindPaths=-/var/cache/munin/www:/web/sys/admin/stat:norbind

[Install]
#WantedBy=multi-user.target
WantedBy=chr-admin.target