# Stop dance for nginx
# =======================
#
# ExecStop sends SIGSTOP (graceful stop) to the nginx process.
# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
# and sends SIGTERM (fast shutdown) to the main process.
# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
#
# nginx signals reference doc:
# http://nginx.org/en/docs/control.html
#
[Unit]
Description=Nginx in chroot
Documentation=man:nginx(8)
After=network.target local-fs.target
PartOf=chr-proxyd.target

[Service]
Type=forking
PIDFile=/chroot/proxyd/run/nginx.pid

RootDirectory=/chroot/proxyd
RootDirectoryStartOnly=no

ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid

TimeoutStopSec=5
KillMode=mixed

PrivateTmp=true
MountAPIVFS=true
NoNewPrivileges=true
PrivateDevices=true
DevicePolicy=closed
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=invisible
ProcSubset=pid
ProtectControlGroups=true
ProtectClock=true
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
#RestrictNamespaces=uts ipc pid user cgroup
#RestrictNamespaces=yes
#RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
#LockPersonality=yes
ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
ReadOnlyPaths=/chroot/proxyd
ReadWritePaths=/chroot/proxyd/run
ReadWritePaths=/chroot/proxyd/var/lib/nginx /chroot/proxyd/var/log/nginx /chroot/proxyd/var/cache/nginx
ReadWritePaths=-/chroot/proxyd/var/cache/web
ReadWritePaths=-/chroot/proxyd/usr/share/nginx/off
ReadWritePaths=/chroot/proxyd/web
InaccessiblePaths=/chroot/proxyd/boot /chroot/proxyd/sys /chroot/proxyd/proc

# run
BindPaths=/chroot/proxyd/run:/run:norbind
# systemd notify, log
BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind
# sys-ssl
BindPaths=-/etc/ssl/sys:/etc/ssl/sys:norbind
# geoip
BindPaths=-/usr/share/GeoIP:/usr/share/GeoIP:norbind

# web
BindPaths=-/srv/web:/web:norbind
BindPaths=-/srv/webtmp:/web/temp:norbind

BindPaths=-/srv/log/nginx:/var/log/nginx:norbind

[Install]
#WantedBy=multi-user.target
WantedBy=chr-proxyd.target