[Unit]
Description=A high performance web server and a reverse proxy server (twiy)
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /run/nginx/temp /run/nginx/temp/client_body /run/nginx/temp/proxy /run/nginx/temp/fastcgi /run/nginx/temp/uwsgi /run/nginx/temp/scgi /var/log/nginx
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx -c /nginx/nginx.conf
ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /run/nginx.pid)"
ExecStop=/bin/sh -c "/bin/kill -s QUIT $(/bin/cat /run/nginx.pid)"
TimeoutStartSec=10
LimitNOFILE=65535

# === hardening (compatible with LuaJIT + nginx workers + raweb agent) ===
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true
PrivateDevices=true
PrivateTmp=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
# ProtectSystem=strict makes the entire filesystem read-only EXCEPT these.
# /run covers nginx.pid, nginx.lock, and the temp/ subdir (all tmpfs).
ReadWritePaths=/run /var/log/nginx /nginx /hostdata
# Read-only paths nginx legitimately accesses. ProtectSystem=strict already
# allows reads everywhere by default — these are documented for the operator's
# benefit (and so they survive future hardening tightening).
ReadOnlyPaths=/raweb /srv /etc/letsencrypt
# NOTE deliberately OFF:
#   MemoryDenyWriteExecute=true       breaks LuaJIT (JIT writable+executable pages)
#   SystemCallFilter=~@resources      breaks nginx workers' prlimit64()

[Install]
WantedBy=multi-user.target