diff --git a/nixos/modules/services/web-servers/unit/default.nix b/nixos/modules/services/web-servers/unit/default.nix
index f8a18954fc9..989866144e1 100644
--- a/nixos/modules/services/web-servers/unit/default.nix
+++ b/nixos/modules/services/web-servers/unit/default.nix
@@ -91,41 +91,47 @@ in {
       description = "Unit App Server";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
-      path = with pkgs; [ curl ];
       preStart = ''
-        test -f '${cfg.stateDir}/conf.json' || rm -f '${cfg.stateDir}/conf.json'
+        [ ! -e '${cfg.stateDir}/conf.json' ] || rm -f '${cfg.stateDir}/conf.json'
       '';
       postStart = ''
-        curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config'
+        ${pkgs.curl}/bin/curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config'
       '';
       serviceConfig = {
+        Type = "forking";
+        PIDFile = "/run/unit/unit.pid";
         ExecStart = ''
           ${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \
-                                   --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' --no-daemon \
+                                   --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' \
                                    --user ${cfg.user} --group ${cfg.group}
         '';
-        # User and group
-        User = cfg.user;
-        Group = cfg.group;
-        # Capabilities
-        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
+        ExecStop = ''
+          ${pkgs.curl}/bin/curl -X DELETE --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config'
+        '';
+        # Runtime directory and mode
+        RuntimeDirectory = "unit";
+        RuntimeDirectoryMode = "0750";
+        # Access write directories
+        ReadWritePaths = [ cfg.stateDir cfg.logDir ];
         # Security
         NoNewPrivileges = true;
         # Sandboxing
-        ProtectSystem = "full";
+        ProtectSystem = "strict";
         ProtectHome = true;
-        RuntimeDirectory = "unit";
-        RuntimeDirectoryMode = "0750";
         PrivateTmp = true;
         PrivateDevices = true;
         ProtectHostname = true;
         ProtectKernelTunables = true;
         ProtectKernelModules = true;
         ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
         RestrictRealtime = true;
+        RestrictSUIDSGID = true;
         PrivateMounts = true;
+        # System Call Filtering
+        SystemCallArchitectures = "native";
       };
     };
 
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 46f552b26a4..d1b1acc292d 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -321,6 +321,7 @@ in
   trickster = handleTest ./trickster.nix {};
   tuptime = handleTest ./tuptime.nix {};
   udisks2 = handleTest ./udisks2.nix {};
+  unit-php = handleTest ./web-servers/unit-php.nix {};
   upnp = handleTest ./upnp.nix {};
   uwsgi = handleTest ./uwsgi.nix {};
   vault = handleTest ./vault.nix {};
diff --git a/nixos/tests/web-servers/unit-php.nix b/nixos/tests/web-servers/unit-php.nix
new file mode 100644
index 00000000000..c6327a1f825
--- /dev/null
+++ b/nixos/tests/web-servers/unit-php.nix
@@ -0,0 +1,47 @@
+import ../make-test-python.nix ({pkgs, ...}:
+ let
+    testdir = pkgs.writeTextDir "www/info.php" "<?php phpinfo();";
+
+in {
+  name = "unit-php-test";
+  meta.maintainers = with pkgs.stdenv.lib.maintainers; [ izorkin ];
+
+  machine = { config, lib, pkgs, ... }: {
+    services.unit = {
+      enable = true;
+      config = ''
+        {
+          "listeners": {
+            "*:9074": {
+              "application": "php_74"
+            }
+          },
+          "applications": {
+            "php_74": {
+              "type": "php 7.4",
+              "processes": 1,
+              "user": "testuser",
+              "group": "testgroup",
+              "root": "${testdir}/www",
+              "index": "info.php"
+            }
+          }
+        }
+      '';
+    };
+    users = {
+      users.testuser = {
+        isNormalUser = false;
+        uid = 1074;
+        group = "testgroup";
+      };
+      groups.testgroup = {
+        gid= 1074;
+      };
+    };
+  };
+  testScript = ''
+    machine.wait_for_unit("unit.service")
+    assert "PHP Version ${pkgs.php74.version}" in machine.succeed("curl -vvv -s http://127.0.0.1:9074/")
+  '';
+})
diff --git a/pkgs/servers/http/unit/default.nix b/pkgs/servers/http/unit/default.nix
index 0779a31f106..c161566d329 100644
--- a/pkgs/servers/http/unit/default.nix
+++ b/pkgs/servers/http/unit/default.nix
@@ -1,8 +1,9 @@
-{ stdenv, fetchFromGitHub, which
+{ stdenv, fetchFromGitHub, nixosTests, which
 , withPython2 ? false, python2
 , withPython3 ? true, python3, ncurses
 , withPHP72 ? false, php72
-, withPHP73 ? true, php73
+, withPHP73 ? false, php73
+, withPHP74 ? true, php74
 , withPerl528 ? false, perl528
 , withPerl530 ? true, perl530
 , withPerldevel ? false, perldevel
@@ -28,22 +29,19 @@ let
 
   php72-unit = php72.override phpConfig;
   php73-unit = php73.override phpConfig;
+  php74-unit = php74.override phpConfig;
+
 in stdenv.mkDerivation rec {
-  version = "1.16.0";
+  version = "1.17.0";
   pname = "unit";
 
   src = fetchFromGitHub {
     owner = "nginx";
     repo = "unit";
     rev = version;
-    sha256 = "19gclqhwccpi7y4386ap33ycwhylv4s4kwfc6ik8scmc4pw3sj9l";
+    sha256 = "1q3659vw8rxv4fk7ljkjav8ga72sb3arljfxcqw8b080f9hvi7hh";
   };
 
-  patches = [
-    # https://github.com/nginx/unit/issues/357
-    ./drop_cap.patch
-  ];
-
   nativeBuildInputs = [ which ];
 
   buildInputs = [ ]
@@ -51,6 +49,7 @@ in stdenv.mkDerivation rec {
     ++ optionals withPython3 [ python3 ncurses ]
     ++ optional withPHP72 php72-unit
     ++ optional withPHP73 php73-unit
+    ++ optional withPHP73 php74-unit
     ++ optional withPerl528 perl528
     ++ optional withPerl530 perl530
     ++ optional withPerldevel perldevel
@@ -73,6 +72,7 @@ in stdenv.mkDerivation rec {
     ${optionalString withPython3    "./configure python --module=python3  --config=${python3}/bin/python3-config  --lib-path=${python3}/lib"}
     ${optionalString withPHP72      "./configure php    --module=php72    --config=${php72-unit.unwrapped.dev}/bin/php-config --lib-path=${php72-unit}/lib"}
     ${optionalString withPHP73      "./configure php    --module=php73    --config=${php73-unit.unwrapped.dev}/bin/php-config --lib-path=${php73-unit}/lib"}
+    ${optionalString withPHP74      "./configure php    --module=php74    --config=${php74-unit.unwrapped.dev}/bin/php-config --lib-path=${php74-unit}/lib"}
     ${optionalString withPerl528    "./configure perl   --module=perl528  --perl=${perl528}/bin/perl"}
     ${optionalString withPerl530    "./configure perl   --module=perl530  --perl=${perl530}/bin/perl"}
     ${optionalString withPerldevel  "./configure perl   --module=perldev  --perl=${perldevel}/bin/perl"}
@@ -81,6 +81,8 @@ in stdenv.mkDerivation rec {
     ${optionalString withRuby_2_7   "./configure ruby   --module=ruby27   --ruby=${ruby_2_7}/bin/ruby"}
   '';
 
+  passthru.tests.unit-php = nixosTests.unit-php;
+
   meta = {
     description = "Dynamic web and application server, designed to run applications in multiple languages.";
     homepage    = "https://unit.nginx.org/";
diff --git a/pkgs/servers/http/unit/drop_cap.patch b/pkgs/servers/http/unit/drop_cap.patch
deleted file mode 100644
index 87caf77904e..00000000000
--- a/pkgs/servers/http/unit/drop_cap.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-diff -r ed17ce89119f src/nxt_capability.c
---- a/src/nxt_capability.c      Fri Dec 06 17:02:23 2019 +0000
-+++ b/src/nxt_capability.c      Mon Dec 09 23:23:00 2019 +0000
-@@ -93,6 +93,26 @@ nxt_capability_specific_set(nxt_task_t *
-     return NXT_OK;
- }
- 
-+
-+nxt_int_t
-+nxt_capability_drop_all(nxt_task_t *task)
-+{
-+    struct __user_cap_header_struct hdr;
-+    struct __user_cap_data_struct data[2];
-+
-+    hdr.version = nxt_capability_linux_get_version();
-+    hdr.pid = nxt_pid;
-+
-+    nxt_memset(data, 0, sizeof(data));
-+
-+    if (nxt_slow_path(nxt_capset(&hdr, data) == -1)) {
-+        nxt_alert(task, "failed to drop capabilities %E", nxt_errno);
-+        return NXT_ERROR;
-+    }
-+
-+    return NXT_OK;
-+}
-+
- #else
- 
- static nxt_int_t
-diff -r ed17ce89119f src/nxt_capability.h
---- a/src/nxt_capability.h      Fri Dec 06 17:02:23 2019 +0000
-+++ b/src/nxt_capability.h      Mon Dec 09 23:23:00 2019 +0000
-@@ -14,4 +14,6 @@ typedef struct {
- NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task,
-     nxt_capabilities_t *cap);
- 
-+NXT_EXPORT nxt_int_t nxt_capability_drop_all(nxt_task_t *task);
-+
- #endif /* _NXT_CAPABILITY_INCLUDED_ */
-diff -r ed17ce89119f src/nxt_process.c
---- a/src/nxt_process.c Fri Dec 06 17:02:23 2019 +0000
-+++ b/src/nxt_process.c Mon Dec 09 23:23:00 2019 +0000
-@@ -264,7 +264,7 @@ cleanup:
- static void
- nxt_process_start(nxt_task_t *task, nxt_process_t *process)
- {
--    nxt_int_t                    ret, cap_setid;
-+    nxt_int_t                    ret, cap_setid, drop_caps;
-     nxt_port_t                   *port, *main_port;
-     nxt_thread_t                 *thread;
-     nxt_runtime_t                *rt;
-@@ -285,9 +285,12 @@ nxt_process_start(nxt_task_t *task, nxt_
- 
-     cap_setid = rt->capabilities.setid;
- 
-+    drop_caps = cap_setid;
-+
- #if (NXT_HAVE_CLONE_NEWUSER)
--    if (!cap_setid && NXT_CLONE_USER(init->isolation.clone.flags)) {
-+    if (NXT_CLONE_USER(init->isolation.clone.flags)) {
-         cap_setid = 1;
-+        drop_caps = 0;
-     }
- #endif
- 
-@@ -301,6 +304,12 @@ nxt_process_start(nxt_task_t *task, nxt_
-         if (nxt_slow_path(ret != NXT_OK)) {
-             goto fail;
-         }
-+
-+#if (NXT_HAVE_LINUX_CAPABILITY)
-+        if (drop_caps && nxt_capability_drop_all(task) != NXT_OK) {
-+            goto fail;
-+        }
-+#endif
-     }
- 
-     rt->type = init->type;
\ No newline at end of file