[Service]
LimitNOFILE=100000
ProtectSystem=strict
PrivateTmp=true
NoNewPrivileges=true
ProtectHome=true
PrivateDevices=true
PrivateUsers=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true
SystemCallArchitectures=native
ReadWritePaths=-/var/log/mysql/
ReadWritePaths=-/var/lib/mysql/
ReadWritePaths=-/var/run/mysqld/
ReadWritePaths=-/run/mysqld/
InaccessiblePaths=/var/www/