diff options
| author | Aaron Andersen <aaron@fosslib.net> | 2019-06-28 21:47:43 -0400 |
|---|---|---|
| committer | Aaron Andersen <aaron@fosslib.net> | 2019-06-28 21:47:43 -0400 |
| commit | 278d867a9b50e2472b1724988363b26f8eea6bf7 (patch) | |
| tree | 42366eff05fcae152a48d7eaa39ed6d1762096ff /nixos/modules/services | |
| parent | 4b98e262a040f69197ad43cd4ec7f9106bf6495d (diff) | |
| download | nixpkgs-278d867a9b50e2472b1724988363b26f8eea6bf7.tar nixpkgs-278d867a9b50e2472b1724988363b26f8eea6bf7.tar.gz nixpkgs-278d867a9b50e2472b1724988363b26f8eea6bf7.tar.bz2 nixpkgs-278d867a9b50e2472b1724988363b26f8eea6bf7.tar.lz nixpkgs-278d867a9b50e2472b1724988363b26f8eea6bf7.tar.xz nixpkgs-278d867a9b50e2472b1724988363b26f8eea6bf7.tar.zst nixpkgs-278d867a9b50e2472b1724988363b26f8eea6bf7.zip | |
Revert "Merge pull request #63156 from Izorkin/phpfpm-rootless"
This reverts commit b5478fd1a2ef442a54c36031bf3a27a96b5ea31c, reversing changes made to dbb00bfcbfb291e79d4d2d512041656e6bcfcd9a.
Diffstat (limited to 'nixos/modules/services')
| -rw-r--r-- | nixos/modules/services/mail/roundcube.nix | 42 | ||||
| -rw-r--r-- | nixos/modules/services/misc/zoneminder.nix | 10 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix | 36 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/limesurvey.nix | 8 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/matomo.nix | 38 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/nextcloud.nix | 13 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/restya-board.nix | 18 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/selfoss.nix | 45 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/tt-rss.nix | 12 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/phpfpm/default.nix | 186 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/phpfpm/pool-options.nix | 57 |
11 files changed, 241 insertions, 224 deletions
diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix index 12837f7efe7..e8b2e11bf72 100644 --- a/nixos/modules/services/mail/roundcube.nix +++ b/nixos/modules/services/mail/roundcube.nix @@ -105,7 +105,7 @@ in extraConfig = '' location ~* \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/phpfpm-roundcube/roundcube.sock; + fastcgi_pass unix:/run/phpfpm/roundcube; include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; } @@ -119,28 +119,24 @@ in enable = true; }; - services.phpfpm.pools.roundcube = { - socketName = "roundcube"; - phpPackage = pkgs.php; - user = "${config.services.nginx.user}"; - group = "${config.services.nginx.group}"; - extraConfig = '' - listen.owner = ${config.services.nginx.user} - listen.group = ${config.services.nginx.group} - listen.mode = 0600 - pm = dynamic - pm.max_children = 75 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 20 - pm.max_requests = 500 - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - php_admin_value[post_max_size] = 25M - php_admin_value[upload_max_filesize] = 25M - catch_workers_output = yes - ''; - }; + services.phpfpm.poolConfigs.roundcube = '' + listen = /run/phpfpm/roundcube + listen.owner = nginx + listen.group = nginx + listen.mode = 0660 + user = nginx + pm = dynamic + pm.max_children = 75 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 20 + pm.max_requests = 500 + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + php_admin_value[post_max_size] = 25M + php_admin_value[upload_max_filesize] = 25M + catch_workers_output = yes + ''; systemd.services.phpfpm-roundcube.after = [ "roundcube-setup.service" ]; systemd.services.roundcube-setup = let diff --git a/nixos/modules/services/misc/zoneminder.nix b/nixos/modules/services/misc/zoneminder.nix index b0ee961c77f..8d58c2b37c8 100644 --- a/nixos/modules/services/misc/zoneminder.nix +++ b/nixos/modules/services/misc/zoneminder.nix @@ -19,7 +19,7 @@ let useCustomDir = cfg.storageDir != null; - socket = "/run/phpfpm-zoneminder/zoneminder.sock"; + socket = "/run/phpfpm/${dirName}.sock"; zms = "/cgi-bin/zms"; @@ -284,10 +284,7 @@ in { phpfpm = lib.mkIf useNginx { pools.zoneminder = { - socketName = "zoneminder"; - phpPackage = pkgs.php; - user = "${user}"; - group = "${group}"; + listen = socket; phpOptions = '' date.timezone = "${config.time.timeZone}" @@ -295,6 +292,9 @@ in { "extension=${e.pkg}/lib/php/extensions/${e.name}.so") phpExtensions)} ''; extraConfig = '' + user = ${user} + group = ${group} + listen.owner = ${user} listen.group = ${group} listen.mode = 0660 diff --git a/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix b/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix index e83270fda5c..910e1d937bf 100644 --- a/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix +++ b/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: with lib; let cfg = config.services.icingaweb2; poolName = "icingaweb2"; + phpfpmSocketName = "/var/run/phpfpm/${poolName}.sock"; defaultConfig = { global = { @@ -161,23 +162,19 @@ in { }; config = mkIf cfg.enable { - services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") { - "${poolName}" = { - socketName = "${poolName}"; - phpPackage = pkgs.php; - user = "icingaweb2"; - group = "icingaweb2"; - extraConfig = '' - listen.owner = ${config.services.nginx.user} - listen.group = ${config.services.nginx.group} - listen.mode = 0600 - pm = dynamic - pm.max_children = 75 - pm.start_servers = 2 - pm.min_spare_servers = 2 - pm.max_spare_servers = 10 - ''; - }; + services.phpfpm.poolConfigs = mkIf (cfg.pool == "${poolName}") { + "${poolName}" = '' + listen = "${phpfpmSocketName}" + listen.owner = nginx + listen.group = nginx + listen.mode = 0600 + user = icingaweb2 + pm = dynamic + pm.max_children = 75 + pm.start_servers = 2 + pm.min_spare_servers = 2 + pm.max_spare_servers = 10 + ''; }; services.phpfpm.phpOptions = mkIf (cfg.pool == "${poolName}") @@ -209,7 +206,7 @@ in { include ${config.services.nginx.package}/conf/fastcgi.conf; try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/phpfpm-${poolName}/${poolName}.sock; + fastcgi_pass unix:${phpfpmSocketName}; fastcgi_param SCRIPT_FILENAME ${pkgs.icingaweb2}/public/index.php; ''; }; @@ -242,8 +239,5 @@ in { group = "icingaweb2"; isSystemUser = true; }; - users.users.nginx = { - extraGroups = [ "icingaweb2" ]; - }; }; } diff --git a/nixos/modules/services/web-apps/limesurvey.nix b/nixos/modules/services/web-apps/limesurvey.nix index 99a33b8371c..f23b3075574 100644 --- a/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixos/modules/services/web-apps/limesurvey.nix @@ -202,13 +202,13 @@ in }; services.phpfpm.pools.limesurvey = { - socketName = "limesurvey"; phpPackage = php; - user = "${user}"; - group = "${group}"; + listen = "/run/phpfpm/limesurvey.sock"; extraConfig = '' listen.owner = ${config.services.httpd.user}; listen.group = ${config.services.httpd.group}; + user = ${user}; + group = ${group}; env[LIMESURVEY_CONFIG] = ${limesurveyConfig} @@ -241,7 +241,7 @@ in <Directory "${pkg}/share/limesurvey"> <FilesMatch "\.php$"> <If "-f %{REQUEST_FILENAME}"> - SetHandler "proxy:unix:/run/phpfpm-limesurvey/limesurvey.sock|fcgi://localhost/" + SetHandler "proxy:unix:/run/phpfpm/limesurvey.sock|fcgi://localhost/" </If> </FilesMatch> diff --git a/nixos/modules/services/web-apps/matomo.nix b/nixos/modules/services/web-apps/matomo.nix index e058c18ad87..14aca45a342 100644 --- a/nixos/modules/services/web-apps/matomo.nix +++ b/nixos/modules/services/web-apps/matomo.nix @@ -4,14 +4,13 @@ let cfg = config.services.matomo; user = "matomo"; - group = "matomo"; dataDir = "/var/lib/${user}"; deprecatedDataDir = "/var/lib/piwik"; pool = user; - # it's not possible to use /run/phpfpm-${pool}/${pool}.sock because /run/phpfpm/ is root:root 0770, + # it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770, # and therefore is not accessible by the web server. - phpSocket = "/run/phpfpm-${pool}/${pool}.sock"; + phpSocket = "/run/phpfpm-${pool}.sock"; phpExecutionUnit = "phpfpm-${pool}"; databaseService = "mysql.service"; @@ -138,12 +137,9 @@ in { isSystemUser = true; createHome = true; home = dataDir; - group = "${group}"; + group = user; }; - users.users.${config.services.nginx.user} = { - extraGroups = [ "${group}" ]; - }; - users.groups.${group} = {}; + users.groups.${user} = {}; systemd.services.matomo-setup-update = { # everything needs to set up and up to date before Matomo php files are executed @@ -173,7 +169,7 @@ in { echo "Migrating from ${deprecatedDataDir} to ${dataDir}" mv -T ${deprecatedDataDir} ${dataDir} fi - chown -R ${user}:${group} ${dataDir} + chown -R ${user}:${user} ${dataDir} chmod -R ug+rwX,o-rwx ${dataDir} ''; script = '' @@ -229,26 +225,22 @@ in { serviceConfig.UMask = "0007"; }; - services.phpfpm.pools = let + services.phpfpm.poolConfigs = let # workaround for when both are null and need to generate a string, # which is illegal, but as assertions apparently are being triggered *after* config generation, # we have to avoid already throwing errors at this previous stage. socketOwner = if (cfg.nginx != null) then config.services.nginx.user else if (cfg.webServerUser != null) then cfg.webServerUser else ""; in { - ${pool} = { - socketName = "${pool}"; - phpPackage = pkgs.php; - user = "${user}"; - group = "${group}"; - extraConfig = '' - listen.owner = ${socketOwner} - listen.group = ${group} - listen.mode = 0600 - env[PIWIK_USER_PATH] = ${dataDir} - ${cfg.phpfpmProcessManagerConfig} - ''; - }; + ${pool} = '' + listen = "${phpSocket}" + listen.owner = ${socketOwner} + listen.group = root + listen.mode = 0600 + user = ${user} + env[PIWIK_USER_PATH] = ${dataDir} + ${cfg.phpfpmProcessManagerConfig} + ''; }; diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 9475af12fdd..fa9a36d1189 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -394,14 +394,13 @@ in { phpOptions))); in { phpOptions = phpOptionsExtensions; - socketName = "nextcloud"; phpPackage = phpPackage; - user = "nextcloud"; - group = "${config.services.nginx.group}"; + listen = "/run/phpfpm/nextcloud"; extraConfig = '' - listen.owner = ${config.services.nginx.user} - listen.group = ${config.services.nginx.group} - listen.mode = 0600 + listen.owner = nginx + listen.group = nginx + user = nextcloud + group = nginx ${cfg.poolConfig} env[NEXTCLOUD_CONFIG_DIR] = ${cfg.home}/config env[PATH] = /run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin @@ -467,7 +466,7 @@ in { fastcgi_param HTTPS ${if cfg.https then "on" else "off"}; fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; - fastcgi_pass unix:/run/phpfpm-nextcloud/nextcloud.sock; + fastcgi_pass unix:/run/phpfpm/nextcloud; fastcgi_intercept_errors on; fastcgi_request_buffering off; fastcgi_read_timeout 120s; diff --git a/nixos/modules/services/web-apps/restya-board.nix b/nixos/modules/services/web-apps/restya-board.nix index d4c99d6c44b..2e5e0ea6622 100644 --- a/nixos/modules/services/web-apps/restya-board.nix +++ b/nixos/modules/services/web-apps/restya-board.nix @@ -13,7 +13,7 @@ let runDir = "/run/restya-board"; poolName = "restya-board"; - phpfpmSocketName = "/run/phpfpm-${poolName}/${poolName}.sock"; + phpfpmSocketName = "/run/phpfpm/${poolName}.sock"; in @@ -178,12 +178,9 @@ in config = mkIf cfg.enable { - services.phpfpm.pools = { + services.phpfpm.poolConfigs = { "${poolName}" = { - socketName = "${poolName}"; - phpPackage = pkgs.php; - user = "${cfg.user}"; - group = "${cfg.group}"; + listen = phpfpmSocketName; phpOptions = '' date.timezone = "CET" @@ -195,9 +192,11 @@ in ''} ''; extraConfig = '' - listen.owner = ${config.services.nginx.user} - listen.group = ${config.services.nginx.group} + listen.owner = nginx + listen.group = nginx listen.mode = 0600 + user = ${cfg.user} + group = ${cfg.group} pm = dynamic pm.max_children = 75 pm.start_servers = 10 @@ -366,9 +365,6 @@ in home = runDir; group = "restya-board"; }; - users.users.nginx = { - extraGroups = [ "restya-board" ]; - }; users.groups.restya-board = {}; services.postgresql.enable = mkIf (cfg.database.host == null) true; diff --git a/nixos/modules/services/web-apps/selfoss.nix b/nixos/modules/services/web-apps/selfoss.nix index 6c5942d1e17..cd0f743a5fb 100644 --- a/nixos/modules/services/web-apps/selfoss.nix +++ b/nixos/modules/services/web-apps/selfoss.nix @@ -3,9 +3,9 @@ with lib; let cfg = config.services.selfoss; - poolName = "selfoss"; - phpfpmSocketName = "/run/phpfpm-${poolName}/${poolName}.sock"; - group = "${cfg.user}"; + poolName = "selfoss_pool"; + phpfpmSocketName = "/run/phpfpm/${poolName}.sock"; + dataDir = "/var/lib/selfoss"; selfoss-config = @@ -116,25 +116,21 @@ in config = mkIf cfg.enable { - services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") { - "${poolName}" = { - socketName = "${poolName}"; - phpPackage = pkgs.php; - user = "${cfg.user}"; - group = "${group}"; - extraConfig = '' - listen.owner = ${config.services.nginx.user} - listen.group = ${config.services.nginx.group} - listen.mode = 0600 - pm = dynamic - pm.max_children = 75 - pm.start_servers = 10 - pm.min_spare_servers = 5 - pm.max_spare_servers = 20 - pm.max_requests = 500 - catch_workers_output = 1 - ''; - }; + services.phpfpm.poolConfigs = mkIf (cfg.pool == "${poolName}") { + "${poolName}" = '' + listen = "${phpfpmSocketName}"; + listen.owner = nginx + listen.group = nginx + listen.mode = 0600 + user = nginx + pm = dynamic + pm.max_children = 75 + pm.start_servers = 10 + pm.min_spare_servers = 5 + pm.max_spare_servers = 20 + pm.max_requests = 500 + catch_workers_output = 1 + ''; }; systemd.services.selfoss-config = { @@ -149,7 +145,7 @@ in # Create the files cp -r "${pkgs.selfoss}/"* "${dataDir}" ln -sf "${selfoss-config}" "${dataDir}/config.ini" - chown -R "${cfg.user}":"${group}" "${dataDir}" + chown -R "${cfg.user}" "${dataDir}" chmod -R 755 "${dataDir}" ''; wantedBy = [ "multi-user.target" ]; @@ -166,8 +162,5 @@ in }; - users.users.nginx = { - extraGroups = [ "${group}" ]; - }; }; } diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index e59988ef7b2..b882f6c2ae7 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -512,14 +512,12 @@ let services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") { "${poolName}" = { - socketName = "${poolName}"; - phpPackage = pkgs.php; - user = "${config.services.nginx.user}"; - group = "${config.services.nginx.group}"; + listen = "/var/run/phpfpm/${poolName}.sock"; extraConfig = '' - listen.owner = ${config.services.nginx.user} - listen.group = ${config.services.nginx.group} + listen.owner = nginx + listen.group = nginx listen.mode = 0600 + user = ${cfg.user} pm = dynamic pm.max_children = 75 pm.start_servers = 10 @@ -545,7 +543,7 @@ let locations."~ \.php$" = { extraConfig = '' fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/phpfpm-${poolName}/${poolName}.sock; + fastcgi_pass unix:${config.services.phpfpm.pools.${cfg.pool}.listen}; fastcgi_index index.php; ''; }; diff --git a/nixos/modules/services/web-servers/phpfpm/default.nix b/nixos/modules/services/web-servers/phpfpm/default.nix index e424080ab1f..ffafbc5e92f 100644 --- a/nixos/modules/services/web-servers/phpfpm/default.nix +++ b/nixos/modules/services/web-servers/phpfpm/default.nix @@ -4,26 +4,37 @@ with lib; let cfg = config.services.phpfpm; - enabled = cfg.pools != {}; + enabled = cfg.poolConfigs != {} || cfg.pools != {}; - poolConfigs = (mapAttrs mapPool cfg.pools); + stateDir = "/run/phpfpm"; + + poolConfigs = + (mapAttrs mapPoolConfig cfg.poolConfigs) // + (mapAttrs mapPool cfg.pools); + + mapPoolConfig = n: p: { + phpPackage = cfg.phpPackage; + phpOptions = cfg.phpOptions; + config = p; + }; mapPool = n: p: { phpPackage = p.phpPackage; phpOptions = p.phpOptions; - userPool = p.user; - groupPool = p.group; + config = '' + listen = ${p.listen} + ${p.extraConfig} + ''; }; fpmCfgFile = pool: conf: pkgs.writeText "phpfpm-${pool}.conf" '' [global] error_log = syslog daemonize = no - ${cfg.globalExtraConfig} + ${cfg.extraConfig} [${pool}] - listen = /run/phpfpm-${pool}/${cfg.pools.${pool}.socketName}.sock - ${cfg.pools.${pool}.extraConfig} + ${conf} ''; phpIni = pool: pkgs.runCommand "php.ini" { @@ -38,100 +49,87 @@ let ''; in { + options = { services.phpfpm = { - globalExtraConfig = mkOption { + extraConfig = mkOption { type = types.lines; default = ""; description = '' - Global extra configuration that should be put in the global section of + Extra configuration that should be put in the global section of the PHP-FPM configuration file. Do not specify the options <literal>error_log</literal> or - <literal>daemonize</literal> here, since they are generated by NixOS. + <literal>daemonize</literal> here, since they are generated by + NixOS. ''; }; - pools = mkOption { - default = {}; - type = types.attrsOf (types.submodule { - options = { - socketName = mkOption { - type = types.str; - example = "php-fpm"; - description = '' - The address on which to accept FastCGI requests. - ''; - }; - - phpPackage = mkOption { - type = types.package; - default = fpmCfg.phpPackage; - defaultText = "config.services.phpfpm.phpPackage"; - description = '' - The PHP package to use for running this PHP-FPM pool. - ''; - }; - - phpOptions = mkOption { - type = types.lines; - default = fpmCfg.phpOptions; - defaultText = "config.services.phpfpm.phpOptions"; - description = '' - "Options appended to the PHP configuration file <filename>php.ini</filename> used for this PHP-FPM pool." - ''; - }; - - user = mkOption { - type = types.string; - default = "phpfpm"; - description = "User account under which phpfpm runs."; - }; - - group = mkOption { - type = types.string; - default = "phpfpm"; - description = "Group account under which phpfpm runs."; - }; - - extraConfig = mkOption { - type = types.lines; - example = '' - pm = dynamic - pm.max_children = 75 - pm.start_servers = 10 - pm.min_spare_servers = 5 - pm.max_spare_servers = 20 - pm.max_requests = 500 - ''; - - description = '' - Extra lines that go into the pool configuration. - See the documentation on <literal>php-fpm.conf</literal> for - details on configuration directives. - ''; - }; - }; - }); + phpPackage = mkOption { + type = types.package; + default = pkgs.php; + defaultText = "pkgs.php"; + description = '' + The PHP package to use for running the PHP-FPM service. + ''; + }; + phpOptions = mkOption { + type = types.lines; + default = ""; + example = + '' + date.timezone = "CET" + ''; + description = + "Options appended to the PHP configuration file <filename>php.ini</filename>."; + }; + + poolConfigs = mkOption { + default = {}; + type = types.attrsOf types.lines; example = literalExample '' - { - mypool = { - socketName = "example"; - phpPackage = pkgs.php; - user = "phpfpm"; - group = "phpfpm"; - extraConfig = ''' - pm = dynamic - pm.max_children = 75 - pm.start_servers = 10 - pm.min_spare_servers = 5 - pm.max_spare_servers = 20 - pm.max_requests = 500 - '''; - } + { mypool = ''' + listen = /run/phpfpm/mypool + user = nobody + pm = dynamic + pm.max_children = 75 + pm.start_servers = 10 + pm.min_spare_servers = 5 + pm.max_spare_servers = 20 + pm.max_requests = 500 + '''; } ''; description = '' + A mapping between PHP-FPM pool names and their configurations. + See the documentation on <literal>php-fpm.conf</literal> for + details on configuration directives. If no pools are defined, + the phpfpm service is disabled. + ''; + }; + + pools = mkOption { + type = types.attrsOf (types.submodule (import ./pool-options.nix { + inherit lib config; + })); + default = {}; + example = literalExample '' + { + mypool = { + listen = "/path/to/unix/socket"; + phpPackage = pkgs.php; + extraConfig = ''' + user = nobody + pm = dynamic + pm.max_children = 75 + pm.start_servers = 10 + pm.min_spare_servers = 5 + pm.max_spare_servers = 20 + pm.max_requests = 500 + '''; + } + }''; + description = '' PHP-FPM pools. If no pools or poolConfigs are defined, the PHP-FPM service is disabled. ''; @@ -156,6 +154,9 @@ in { after = [ "network.target" ]; wantedBy = [ "phpfpm.target" ]; partOf = [ "phpfpm.target" ]; + preStart = '' + mkdir -p ${stateDir} + ''; serviceConfig = let cfgFile = fpmCfgFile pool poolConfig.config; iniFile = phpIni poolConfig; @@ -165,19 +166,10 @@ in { ProtectSystem = "full"; ProtectHome = true; # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work - RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ]; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; Type = "notify"; - ExecStart = "${poolConfig.phpPackage}/bin/php-fpm -y '${cfgFile}' -c '${iniFile}'"; + ExecStart = "${poolConfig.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${iniFile}"; ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID"; - # User and group - User = "${poolConfig.userPool}"; - Group = "${poolConfig.groupPool}"; - # Runtime directory and mode - RuntimeDirectory = "phpfpm-${pool}"; - RuntimeDirectoryMode = "0750"; - # Capabilities - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_CHOWN" "CAP_SYS_RESOURCE" ]; - CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_CHOWN" "CAP_SYS_RESOURCE" ]; }; } ); diff --git a/nixos/modules/services/web-servers/phpfpm/pool-options.nix b/nixos/modules/services/web-servers/phpfpm/pool-options.nix new file mode 100644 index 00000000000..d9ad7eff71f --- /dev/null +++ b/nixos/modules/services/web-servers/phpfpm/pool-options.nix @@ -0,0 +1,57 @@ +{ lib, config }: + +let + fpmCfg = config.services.phpfpm; +in + +with lib; { + + options = { + + listen = mkOption { + type = types.str; + example = "/path/to/unix/socket"; + description = '' + The address on which to accept FastCGI requests. + ''; + }; + + phpPackage = mkOption { + type = types.package; + default = fpmCfg.phpPackage; + defaultText = "config.services.phpfpm.phpPackage"; + description = '' + The PHP package to use for running this PHP-FPM pool. + ''; + }; + + phpOptions = mkOption { + type = types.lines; + default = fpmCfg.phpOptions; + defaultText = "config.services.phpfpm.phpOptions"; + description = '' + "Options appended to the PHP configuration file <filename>php.ini</filename> used for this PHP-FPM pool." + ''; + }; + + extraConfig = mkOption { + type = types.lines; + example = '' + user = nobody + pm = dynamic + pm.max_children = 75 + pm.start_servers = 10 + pm.min_spare_servers = 5 + pm.max_spare_servers = 20 + pm.max_requests = 500 + ''; + + description = '' + Extra lines that go into the pool configuration. + See the documentation on <literal>php-fpm.conf</literal> for + details on configuration directives. + ''; + }; + }; +} + |