[Unit]
Description=The PHP 8.2 FastCGI Process Manager for %I
Documentation=man:php-fpm8.2(8)
After=network.target
Before=nginx.service
# PartOf=php.target

[Service]
Type=notify
PIDFile=/run/php-fpm/%i/main.pid
ExecStart=/usr/sbin/php-fpm8.2 --nodaemonize --fpm-config /etc/php/8.2/fpm/sites/%i/php.conf --php-ini /etc/php/8.2/fpm/sites/%i/php.ini --pid /run/php-fpm/%i/main.pid --force-stderr
ExecReload=/bin/kill -USR2 $MAINPID

StandardOutput=journal
StandardError=journal

User=www-data
Group=www-data
WorkingDirectory=/var/www/%i
Environment=HOME=/var/www/%i
Environment=TEMP=/var/lib/php-fpm/%i/tmp TMP=/var/lib/php-fpm/%i/tmp TMPDIR=/var/lib/php-fpm/%i/tmp

TemporaryFileSystem=/var:ro
InaccessiblePaths=/boot /home /lost+found /media /mnt /opt /root /srv

# permits for /var/run
RuntimeDirectory=php-fpm/%i
#TemporaryFileSystem=/var/run/php-fpm:ro
BindPaths=/var/run/php-fpm/%i
ReadWritePaths=/var/run/php-fpm/%i
BindPaths=/var/run/postgresql

#TemporaryFileSystem=/var/lib/php-fpm:ro
BindPaths=/var/lib/php-fpm/%i
StateDirectory=php-fpm/%i/sessions
ReadWritePaths=/var/lib/php-fpm/%i/sessions
StateDirectory=php-fpm/%i/tmp
ReadWritePaths=/var/lib/php-fpm/%i/tmp

TemporaryFileSystem=/etc/php/8.2/fpm/sites:ro
BindPaths=/etc/php/8.2/fpm/sites/%i
ConfigurationDirectory=php/8.2/fpm/sites/%i
ReadOnlyPaths=/etc/php/8.2/fpm/sites/%i

#TemporaryFileSystem=/var/www:ro
BindPaths=/var/www/%i
ReadWritePaths=/var/www/%i

ProtectSystem=strict
PrivateUsers=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
PrivateDevices=yes
ProtectHome=yes
ProtectProc=invisible
PrivateTmp=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
MemoryDenyWriteExecute=yes
RestrictSUIDSGID=yes

[Install]
WantedBy=multi-user.target