From 320e8ab5d7ee8a04011cb19a7ac15cdd2525d59a Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 15 Jun 2019 14:49:35 +0300 Subject: nixos/phpfpm: do not run anything as root --- .../services/web-servers/phpfpm/default.nix | 55 ++++++++++++---------- .../services/web-servers/phpfpm/pool-options.nix | 17 +++++-- 2 files changed, 45 insertions(+), 27 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/web-servers/phpfpm/default.nix b/nixos/modules/services/web-servers/phpfpm/default.nix index ffafbc5e92f..b4a1a55687d 100644 --- a/nixos/modules/services/web-servers/phpfpm/default.nix +++ b/nixos/modules/services/web-servers/phpfpm/default.nix @@ -6,8 +6,6 @@ let cfg = config.services.phpfpm; enabled = cfg.poolConfigs != {} || cfg.pools != {}; - stateDir = "/run/phpfpm"; - poolConfigs = (mapAttrs mapPoolConfig cfg.poolConfigs) // (mapAttrs mapPool cfg.pools); @@ -21,8 +19,9 @@ let mapPool = n: p: { phpPackage = p.phpPackage; phpOptions = p.phpOptions; + userPool = p.user; + groupPool = p.group; config = '' - listen = ${p.listen} ${p.extraConfig} ''; }; @@ -34,6 +33,7 @@ let ${cfg.extraConfig} [${pool}] + listen = /run/phpfpm-${pool}/${cfg.pools.${pool}.socketName}.sock ${conf} ''; @@ -49,7 +49,6 @@ let ''; in { - options = { services.phpfpm = { extraConfig = mkOption { @@ -114,21 +113,23 @@ in { })); default = {}; example = literalExample '' - { - mypool = { - listen = "/path/to/unix/socket"; - phpPackage = pkgs.php; - extraConfig = ''' - user = nobody - pm = dynamic - pm.max_children = 75 - pm.start_servers = 10 - pm.min_spare_servers = 5 - pm.max_spare_servers = 20 - pm.max_requests = 500 - '''; - } - }''; + { + mypool = { + socketName = "example"; + phpPackage = pkgs.php; + user = "phpfpm"; + group = "phpfpm"; + extraConfig = ''' + pm = dynamic + pm.max_children = 75 + pm.start_servers = 10 + pm.min_spare_servers = 5 + pm.max_spare_servers = 20 + pm.max_requests = 500 + '''; + } + } + ''; description = '' PHP-FPM pools. If no pools or poolConfigs are defined, the PHP-FPM service is disabled. @@ -154,9 +155,6 @@ in { after = [ "network.target" ]; wantedBy = [ "phpfpm.target" ]; partOf = [ "phpfpm.target" ]; - preStart = '' - mkdir -p ${stateDir} - ''; serviceConfig = let cfgFile = fpmCfgFile pool poolConfig.config; iniFile = phpIni poolConfig; @@ -166,10 +164,19 @@ in { ProtectSystem = "full"; ProtectHome = true; # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work - RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ]; Type = "notify"; - ExecStart = "${poolConfig.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${iniFile}"; + ExecStart = "${poolConfig.phpPackage}/bin/php-fpm -y '${cfgFile}' -c '${iniFile}'"; ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID"; + # User and group + User = "${poolConfig.userPool}"; + Group = "${poolConfig.groupPool}"; + # Runtime directory and mode + RuntimeDirectory = "phpfpm-${pool}"; + RuntimeDirectoryMode = "0750"; + # Capabilities + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_CHOWN" "CAP_SYS_RESOURCE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_CHOWN" "CAP_SYS_RESOURCE" ]; }; } ); diff --git a/nixos/modules/services/web-servers/phpfpm/pool-options.nix b/nixos/modules/services/web-servers/phpfpm/pool-options.nix index d9ad7eff71f..2c3ed090e1c 100644 --- a/nixos/modules/services/web-servers/phpfpm/pool-options.nix +++ b/nixos/modules/services/web-servers/phpfpm/pool-options.nix @@ -8,9 +8,9 @@ with lib; { options = { - listen = mkOption { + socketName = mkOption { type = types.str; - example = "/path/to/unix/socket"; + example = "php-fpm"; description = '' The address on which to accept FastCGI requests. ''; @@ -34,10 +34,21 @@ with lib; { ''; }; + user = mkOption { + type = types.string; + default = "phpfpm"; + description = "User account under which phpfpm runs."; + }; + + group = mkOption { + type = types.string; + default = "phpfpm"; + description = "Group account under which phpfpm runs."; + }; + extraConfig = mkOption { type = types.lines; example = '' - user = nobody pm = dynamic pm.max_children = 75 pm.start_servers = 10 -- cgit 1.4.1 From 59a33f25e54a05b0be4f772073b7dec660e94c04 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 15 Jun 2019 15:22:36 +0300 Subject: nixos/roundcube: fix work with phpfpm-rootless mode --- nixos/modules/services/mail/roundcube.nix | 42 +++++++++++++++++-------------- 1 file changed, 23 insertions(+), 19 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix index e8b2e11bf72..12837f7efe7 100644 --- a/nixos/modules/services/mail/roundcube.nix +++ b/nixos/modules/services/mail/roundcube.nix @@ -105,7 +105,7 @@ in extraConfig = '' location ~* \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/phpfpm/roundcube; + fastcgi_pass unix:/run/phpfpm-roundcube/roundcube.sock; include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; } @@ -119,24 +119,28 @@ in enable = true; }; - services.phpfpm.poolConfigs.roundcube = '' - listen = /run/phpfpm/roundcube - listen.owner = nginx - listen.group = nginx - listen.mode = 0660 - user = nginx - pm = dynamic - pm.max_children = 75 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 20 - pm.max_requests = 500 - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - php_admin_value[post_max_size] = 25M - php_admin_value[upload_max_filesize] = 25M - catch_workers_output = yes - ''; + services.phpfpm.pools.roundcube = { + socketName = "roundcube"; + phpPackage = pkgs.php; + user = "${config.services.nginx.user}"; + group = "${config.services.nginx.group}"; + extraConfig = '' + listen.owner = ${config.services.nginx.user} + listen.group = ${config.services.nginx.group} + listen.mode = 0600 + pm = dynamic + pm.max_children = 75 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 20 + pm.max_requests = 500 + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + php_admin_value[post_max_size] = 25M + php_admin_value[upload_max_filesize] = 25M + catch_workers_output = yes + ''; + }; systemd.services.phpfpm-roundcube.after = [ "roundcube-setup.service" ]; systemd.services.roundcube-setup = let -- cgit 1.4.1 From d49857a885e86ed1b910b8bc550b9a4e5ded783a Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 15 Jun 2019 15:44:18 +0300 Subject: nixos/limesurvey: fix work with phpfpm-rootless mode --- nixos/modules/services/web-apps/limesurvey.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/web-apps/limesurvey.nix b/nixos/modules/services/web-apps/limesurvey.nix index f9e12e3642e..d68812dd45c 100644 --- a/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixos/modules/services/web-apps/limesurvey.nix @@ -202,13 +202,13 @@ in }; services.phpfpm.pools.limesurvey = { + socketName = "limesurvey"; phpPackage = php; - listen = "/run/phpfpm/limesurvey.sock"; + user = "${user}"; + group = "${group}"; extraConfig = '' listen.owner = ${config.services.httpd.user}; listen.group = ${config.services.httpd.group}; - user = ${user}; - group = ${group}; env[LIMESURVEY_CONFIG] = ${limesurveyConfig} @@ -241,7 +241,7 @@ in - SetHandler "proxy:unix:/run/phpfpm/limesurvey.sock|fcgi://localhost/" + SetHandler "proxy:unix:/run/phpfpm-limesurvey/limesurvey.sock|fcgi://localhost/" -- cgit 1.4.1 From 2172419101c08b68652c37b38eb03b453fb252fa Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 15 Jun 2019 16:36:20 +0300 Subject: nixos/icingaweb2: fix work with phpfpm-rootless mode --- .../services/web-apps/icingaweb2/icingaweb2.nix | 36 +++++++++++++--------- 1 file changed, 21 insertions(+), 15 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix b/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix index 910e1d937bf..e83270fda5c 100644 --- a/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix +++ b/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix @@ -1,7 +1,6 @@ { config, lib, pkgs, ... }: with lib; let cfg = config.services.icingaweb2; poolName = "icingaweb2"; - phpfpmSocketName = "/var/run/phpfpm/${poolName}.sock"; defaultConfig = { global = { @@ -162,19 +161,23 @@ in { }; config = mkIf cfg.enable { - services.phpfpm.poolConfigs = mkIf (cfg.pool == "${poolName}") { - "${poolName}" = '' - listen = "${phpfpmSocketName}" - listen.owner = nginx - listen.group = nginx - listen.mode = 0600 - user = icingaweb2 - pm = dynamic - pm.max_children = 75 - pm.start_servers = 2 - pm.min_spare_servers = 2 - pm.max_spare_servers = 10 - ''; + services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") { + "${poolName}" = { + socketName = "${poolName}"; + phpPackage = pkgs.php; + user = "icingaweb2"; + group = "icingaweb2"; + extraConfig = '' + listen.owner = ${config.services.nginx.user} + listen.group = ${config.services.nginx.group} + listen.mode = 0600 + pm = dynamic + pm.max_children = 75 + pm.start_servers = 2 + pm.min_spare_servers = 2 + pm.max_spare_servers = 10 + ''; + }; }; services.phpfpm.phpOptions = mkIf (cfg.pool == "${poolName}") @@ -206,7 +209,7 @@ in { include ${config.services.nginx.package}/conf/fastcgi.conf; try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:${phpfpmSocketName}; + fastcgi_pass unix:/run/phpfpm-${poolName}/${poolName}.sock; fastcgi_param SCRIPT_FILENAME ${pkgs.icingaweb2}/public/index.php; ''; }; @@ -239,5 +242,8 @@ in { group = "icingaweb2"; isSystemUser = true; }; + users.users.nginx = { + extraGroups = [ "icingaweb2" ]; + }; }; } -- cgit 1.4.1 From 5d3805487a8b6172ce04604f2dc39902e4fcb286 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 15 Jun 2019 16:38:07 +0300 Subject: nixos/zoneminder: fix work with phpfpm-rootless mode --- nixos/modules/services/misc/zoneminder.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/misc/zoneminder.nix b/nixos/modules/services/misc/zoneminder.nix index 9c555e8031c..82d49cdedec 100644 --- a/nixos/modules/services/misc/zoneminder.nix +++ b/nixos/modules/services/misc/zoneminder.nix @@ -19,7 +19,7 @@ let useCustomDir = cfg.storageDir != null; - socket = "/run/phpfpm/${dirName}.sock"; + socket = "/run/phpfpm-zoneminder/zoneminder.sock"; zms = "/cgi-bin/zms"; @@ -278,7 +278,10 @@ in { phpfpm = lib.mkIf useNginx { pools.zoneminder = { - listen = socket; + socketName = "zoneminder"; + phpPackage = pkgs.php; + user = "${user}"; + group = "${group}"; phpOptions = '' date.timezone = "${config.time.timeZone}" @@ -286,9 +289,6 @@ in { "extension=${e.pkg}/lib/php/extensions/${e.name}.so") phpExtensions)} ''; extraConfig = '' - user = ${user} - group = ${group} - listen.owner = ${user} listen.group = ${group} listen.mode = 0660 -- cgit 1.4.1 From 08dae69741a91e12a7a1910ee1339b48cf346611 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 15 Jun 2019 17:43:09 +0300 Subject: nixos/matomo: fix work with phpfpm-rootless mode --- nixos/modules/services/web-apps/matomo.nix | 38 ++++++++++++++++++------------ 1 file changed, 23 insertions(+), 15 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/web-apps/matomo.nix b/nixos/modules/services/web-apps/matomo.nix index 14aca45a342..e058c18ad87 100644 --- a/nixos/modules/services/web-apps/matomo.nix +++ b/nixos/modules/services/web-apps/matomo.nix @@ -4,13 +4,14 @@ let cfg = config.services.matomo; user = "matomo"; + group = "matomo"; dataDir = "/var/lib/${user}"; deprecatedDataDir = "/var/lib/piwik"; pool = user; - # it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770, + # it's not possible to use /run/phpfpm-${pool}/${pool}.sock because /run/phpfpm/ is root:root 0770, # and therefore is not accessible by the web server. - phpSocket = "/run/phpfpm-${pool}.sock"; + phpSocket = "/run/phpfpm-${pool}/${pool}.sock"; phpExecutionUnit = "phpfpm-${pool}"; databaseService = "mysql.service"; @@ -137,9 +138,12 @@ in { isSystemUser = true; createHome = true; home = dataDir; - group = user; + group = "${group}"; }; - users.groups.${user} = {}; + users.users.${config.services.nginx.user} = { + extraGroups = [ "${group}" ]; + }; + users.groups.${group} = {}; systemd.services.matomo-setup-update = { # everything needs to set up and up to date before Matomo php files are executed @@ -169,7 +173,7 @@ in { echo "Migrating from ${deprecatedDataDir} to ${dataDir}" mv -T ${deprecatedDataDir} ${dataDir} fi - chown -R ${user}:${user} ${dataDir} + chown -R ${user}:${group} ${dataDir} chmod -R ug+rwX,o-rwx ${dataDir} ''; script = '' @@ -225,22 +229,26 @@ in { serviceConfig.UMask = "0007"; }; - services.phpfpm.poolConfigs = let + services.phpfpm.pools = let # workaround for when both are null and need to generate a string, # which is illegal, but as assertions apparently are being triggered *after* config generation, # we have to avoid already throwing errors at this previous stage. socketOwner = if (cfg.nginx != null) then config.services.nginx.user else if (cfg.webServerUser != null) then cfg.webServerUser else ""; in { - ${pool} = '' - listen = "${phpSocket}" - listen.owner = ${socketOwner} - listen.group = root - listen.mode = 0600 - user = ${user} - env[PIWIK_USER_PATH] = ${dataDir} - ${cfg.phpfpmProcessManagerConfig} - ''; + ${pool} = { + socketName = "${pool}"; + phpPackage = pkgs.php; + user = "${user}"; + group = "${group}"; + extraConfig = '' + listen.owner = ${socketOwner} + listen.group = ${group} + listen.mode = 0600 + env[PIWIK_USER_PATH] = ${dataDir} + ${cfg.phpfpmProcessManagerConfig} + ''; + }; }; -- cgit 1.4.1 From 5b1a4730bc65ff7c5310bc885f9dbd0c28182fee Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 15 Jun 2019 18:13:04 +0300 Subject: nixos/nextcloud: fix work with phpfpm-rootless mode --- nixos/modules/services/web-apps/nextcloud.nix | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index bb39a5d1d71..35be5cb9712 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -394,13 +394,14 @@ in { phpOptions))); in { phpOptions = phpOptionsExtensions; + socketName = "nextcloud"; phpPackage = phpPackage; - listen = "/run/phpfpm/nextcloud"; + user = "nextcloud"; + group = "${config.services.nginx.group}"; extraConfig = '' - listen.owner = nginx - listen.group = nginx - user = nextcloud - group = nginx + listen.owner = ${config.services.nginx.user} + listen.group = ${config.services.nginx.group} + listen.mode = 0600 ${cfg.poolConfig} env[NEXTCLOUD_CONFIG_DIR] = ${cfg.home}/config env[PATH] = /run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin @@ -466,7 +467,7 @@ in { fastcgi_param HTTPS ${if cfg.https then "on" else "off"}; fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; - fastcgi_pass unix:/run/phpfpm/nextcloud; + fastcgi_pass unix:/run/phpfpm-nextcloud/nextcloud.sock; fastcgi_intercept_errors on; fastcgi_request_buffering off; fastcgi_read_timeout 120s; -- cgit 1.4.1 From d44f759b5588e5c9350958329409c7ab598740e5 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 15 Jun 2019 18:40:11 +0300 Subject: nixos/restya-board: fix work with phpfpm-rootless mode --- nixos/modules/services/web-apps/restya-board.nix | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/web-apps/restya-board.nix b/nixos/modules/services/web-apps/restya-board.nix index 2e5e0ea6622..d4c99d6c44b 100644 --- a/nixos/modules/services/web-apps/restya-board.nix +++ b/nixos/modules/services/web-apps/restya-board.nix @@ -13,7 +13,7 @@ let runDir = "/run/restya-board"; poolName = "restya-board"; - phpfpmSocketName = "/run/phpfpm/${poolName}.sock"; + phpfpmSocketName = "/run/phpfpm-${poolName}/${poolName}.sock"; in @@ -178,9 +178,12 @@ in config = mkIf cfg.enable { - services.phpfpm.poolConfigs = { + services.phpfpm.pools = { "${poolName}" = { - listen = phpfpmSocketName; + socketName = "${poolName}"; + phpPackage = pkgs.php; + user = "${cfg.user}"; + group = "${cfg.group}"; phpOptions = '' date.timezone = "CET" @@ -192,11 +195,9 @@ in ''} ''; extraConfig = '' - listen.owner = nginx - listen.group = nginx + listen.owner = ${config.services.nginx.user} + listen.group = ${config.services.nginx.group} listen.mode = 0600 - user = ${cfg.user} - group = ${cfg.group} pm = dynamic pm.max_children = 75 pm.start_servers = 10 @@ -365,6 +366,9 @@ in home = runDir; group = "restya-board"; }; + users.users.nginx = { + extraGroups = [ "restya-board" ]; + }; users.groups.restya-board = {}; services.postgresql.enable = mkIf (cfg.database.host == null) true; -- cgit 1.4.1 From 6290bf906773f3e45df27c4ffe0f199e1cd7798a Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 15 Jun 2019 19:09:31 +0300 Subject: nixos/selfoss: fix work with phpfpm-rootless mode --- nixos/modules/services/web-apps/selfoss.nix | 45 +++++++++++++++++------------ 1 file changed, 26 insertions(+), 19 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/web-apps/selfoss.nix b/nixos/modules/services/web-apps/selfoss.nix index cd0f743a5fb..6c5942d1e17 100644 --- a/nixos/modules/services/web-apps/selfoss.nix +++ b/nixos/modules/services/web-apps/selfoss.nix @@ -3,9 +3,9 @@ with lib; let cfg = config.services.selfoss; - poolName = "selfoss_pool"; - phpfpmSocketName = "/run/phpfpm/${poolName}.sock"; - + poolName = "selfoss"; + phpfpmSocketName = "/run/phpfpm-${poolName}/${poolName}.sock"; + group = "${cfg.user}"; dataDir = "/var/lib/selfoss"; selfoss-config = @@ -116,21 +116,25 @@ in config = mkIf cfg.enable { - services.phpfpm.poolConfigs = mkIf (cfg.pool == "${poolName}") { - "${poolName}" = '' - listen = "${phpfpmSocketName}"; - listen.owner = nginx - listen.group = nginx - listen.mode = 0600 - user = nginx - pm = dynamic - pm.max_children = 75 - pm.start_servers = 10 - pm.min_spare_servers = 5 - pm.max_spare_servers = 20 - pm.max_requests = 500 - catch_workers_output = 1 - ''; + services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") { + "${poolName}" = { + socketName = "${poolName}"; + phpPackage = pkgs.php; + user = "${cfg.user}"; + group = "${group}"; + extraConfig = '' + listen.owner = ${config.services.nginx.user} + listen.group = ${config.services.nginx.group} + listen.mode = 0600 + pm = dynamic + pm.max_children = 75 + pm.start_servers = 10 + pm.min_spare_servers = 5 + pm.max_spare_servers = 20 + pm.max_requests = 500 + catch_workers_output = 1 + ''; + }; }; systemd.services.selfoss-config = { @@ -145,7 +149,7 @@ in # Create the files cp -r "${pkgs.selfoss}/"* "${dataDir}" ln -sf "${selfoss-config}" "${dataDir}/config.ini" - chown -R "${cfg.user}" "${dataDir}" + chown -R "${cfg.user}":"${group}" "${dataDir}" chmod -R 755 "${dataDir}" ''; wantedBy = [ "multi-user.target" ]; @@ -162,5 +166,8 @@ in }; + users.users.nginx = { + extraGroups = [ "${group}" ]; + }; }; } -- cgit 1.4.1 From 6093c04b67a82d4de611a139f9f7d6c7ec1dd7e8 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 15 Jun 2019 19:37:41 +0300 Subject: nixos/tt-rss: fix work with phpfpm-rootless mode --- nixos/modules/services/web-apps/tt-rss.nix | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index 08297c7275a..6afb193bb37 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -513,12 +513,14 @@ let services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") { "${poolName}" = { - listen = "/var/run/phpfpm/${poolName}.sock"; + socketName = "${poolName}"; + phpPackage = pkgs.php; + user = "${config.services.nginx.user}"; + group = "${config.services.nginx.group}"; extraConfig = '' - listen.owner = nginx - listen.group = nginx + listen.owner = ${config.services.nginx.user} + listen.group = ${config.services.nginx.group} listen.mode = 0600 - user = ${cfg.user} pm = dynamic pm.max_children = 75 pm.start_servers = 10 @@ -544,7 +546,7 @@ let locations."~ \.php$" = { extraConfig = '' fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:${config.services.phpfpm.pools.${cfg.pool}.listen}; + fastcgi_pass unix:/run/phpfpm-${poolName}/${poolName}.sock; fastcgi_index index.php; ''; }; -- cgit 1.4.1 From eee87b460ea9a5a9e122dcc313fa20b9962872a5 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sun, 16 Jun 2019 12:31:09 +0300 Subject: nixos/phpfpm: remove options services.phpfpm.poolConfigs --- nixos/modules/rename.nix | 6 + .../services/web-servers/phpfpm/default.nix | 133 +++++++++++---------- .../services/web-servers/phpfpm/pool-options.nix | 68 ----------- 3 files changed, 73 insertions(+), 134 deletions(-) delete mode 100644 nixos/modules/services/web-servers/phpfpm/pool-options.nix (limited to 'nixos/modules') diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index a424e86038e..7792c1eca9f 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -240,6 +240,12 @@ with lib; # binfmt (mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ]) + # PHP-FPM + (mkRemovedOptionModule [ "services" "phpfpm" "poolConfigs" ] "Use services.phpfpm.pools instead.") + (mkRemovedOptionModule [ "services" "phpfpm" "phpPackage" ] "Use services.phpfpm.pools..phpPackage instead.") + (mkRemovedOptionModule [ "services" "phpfpm" "phpOptions" ] "Use services.phpfpm.pools..phpOptions instead.") + (mkRenamedOptionModule [ "services" "phpfpm" "extraConfig" ] [ "services" "phpfpm" "globalExtraConfig" ]) + ] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter" "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" "snmpExporter" "unifiExporter" "varnishExporter" ] diff --git a/nixos/modules/services/web-servers/phpfpm/default.nix b/nixos/modules/services/web-servers/phpfpm/default.nix index b4a1a55687d..e424080ab1f 100644 --- a/nixos/modules/services/web-servers/phpfpm/default.nix +++ b/nixos/modules/services/web-servers/phpfpm/default.nix @@ -4,37 +4,26 @@ with lib; let cfg = config.services.phpfpm; - enabled = cfg.poolConfigs != {} || cfg.pools != {}; + enabled = cfg.pools != {}; - poolConfigs = - (mapAttrs mapPoolConfig cfg.poolConfigs) // - (mapAttrs mapPool cfg.pools); - - mapPoolConfig = n: p: { - phpPackage = cfg.phpPackage; - phpOptions = cfg.phpOptions; - config = p; - }; + poolConfigs = (mapAttrs mapPool cfg.pools); mapPool = n: p: { phpPackage = p.phpPackage; phpOptions = p.phpOptions; userPool = p.user; groupPool = p.group; - config = '' - ${p.extraConfig} - ''; }; fpmCfgFile = pool: conf: pkgs.writeText "phpfpm-${pool}.conf" '' [global] error_log = syslog daemonize = no - ${cfg.extraConfig} + ${cfg.globalExtraConfig} [${pool}] listen = /run/phpfpm-${pool}/${cfg.pools.${pool}.socketName}.sock - ${conf} + ${cfg.pools.${pool}.extraConfig} ''; phpIni = pool: pkgs.runCommand "php.ini" { @@ -51,67 +40,79 @@ let in { options = { services.phpfpm = { - extraConfig = mkOption { + globalExtraConfig = mkOption { type = types.lines; default = ""; description = '' - Extra configuration that should be put in the global section of + Global extra configuration that should be put in the global section of the PHP-FPM configuration file. Do not specify the options error_log or - daemonize here, since they are generated by - NixOS. - ''; - }; - - phpPackage = mkOption { - type = types.package; - default = pkgs.php; - defaultText = "pkgs.php"; - description = '' - The PHP package to use for running the PHP-FPM service. - ''; - }; - - phpOptions = mkOption { - type = types.lines; - default = ""; - example = - '' - date.timezone = "CET" - ''; - description = - "Options appended to the PHP configuration file php.ini."; - }; - - poolConfigs = mkOption { - default = {}; - type = types.attrsOf types.lines; - example = literalExample '' - { mypool = ''' - listen = /run/phpfpm/mypool - user = nobody - pm = dynamic - pm.max_children = 75 - pm.start_servers = 10 - pm.min_spare_servers = 5 - pm.max_spare_servers = 20 - pm.max_requests = 500 - '''; - } - ''; - description = '' - A mapping between PHP-FPM pool names and their configurations. - See the documentation on php-fpm.conf for - details on configuration directives. If no pools are defined, - the phpfpm service is disabled. + daemonize here, since they are generated by NixOS. ''; }; pools = mkOption { - type = types.attrsOf (types.submodule (import ./pool-options.nix { - inherit lib config; - })); default = {}; + type = types.attrsOf (types.submodule { + options = { + socketName = mkOption { + type = types.str; + example = "php-fpm"; + description = '' + The address on which to accept FastCGI requests. + ''; + }; + + phpPackage = mkOption { + type = types.package; + default = fpmCfg.phpPackage; + defaultText = "config.services.phpfpm.phpPackage"; + description = '' + The PHP package to use for running this PHP-FPM pool. + ''; + }; + + phpOptions = mkOption { + type = types.lines; + default = fpmCfg.phpOptions; + defaultText = "config.services.phpfpm.phpOptions"; + description = '' + "Options appended to the PHP configuration file php.ini used for this PHP-FPM pool." + ''; + }; + + user = mkOption { + type = types.string; + default = "phpfpm"; + description = "User account under which phpfpm runs."; + }; + + group = mkOption { + type = types.string; + default = "phpfpm"; + description = "Group account under which phpfpm runs."; + }; + + extraConfig = mkOption { + type = types.lines; + example = '' + pm = dynamic + pm.max_children = 75 + pm.start_servers = 10 + pm.min_spare_servers = 5 + pm.max_spare_servers = 20 + pm.max_requests = 500 + ''; + + description = '' + Extra lines that go into the pool configuration. + See the documentation on php-fpm.conf for + details on configuration directives. + ''; + }; + }; + }); + example = literalExample '' { mypool = { diff --git a/nixos/modules/services/web-servers/phpfpm/pool-options.nix b/nixos/modules/services/web-servers/phpfpm/pool-options.nix deleted file mode 100644 index 2c3ed090e1c..00000000000 --- a/nixos/modules/services/web-servers/phpfpm/pool-options.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ lib, config }: - -let - fpmCfg = config.services.phpfpm; -in - -with lib; { - - options = { - - socketName = mkOption { - type = types.str; - example = "php-fpm"; - description = '' - The address on which to accept FastCGI requests. - ''; - }; - - phpPackage = mkOption { - type = types.package; - default = fpmCfg.phpPackage; - defaultText = "config.services.phpfpm.phpPackage"; - description = '' - The PHP package to use for running this PHP-FPM pool. - ''; - }; - - phpOptions = mkOption { - type = types.lines; - default = fpmCfg.phpOptions; - defaultText = "config.services.phpfpm.phpOptions"; - description = '' - "Options appended to the PHP configuration file php.ini used for this PHP-FPM pool." - ''; - }; - - user = mkOption { - type = types.string; - default = "phpfpm"; - description = "User account under which phpfpm runs."; - }; - - group = mkOption { - type = types.string; - default = "phpfpm"; - description = "Group account under which phpfpm runs."; - }; - - extraConfig = mkOption { - type = types.lines; - example = '' - pm = dynamic - pm.max_children = 75 - pm.start_servers = 10 - pm.min_spare_servers = 5 - pm.max_spare_servers = 20 - pm.max_requests = 500 - ''; - - description = '' - Extra lines that go into the pool configuration. - See the documentation on php-fpm.conf for - details on configuration directives. - ''; - }; - }; -} - -- cgit 1.4.1