blob: e424080ab1f7b34beada8ba03bfe820fc105fe09 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
|
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.phpfpm;
enabled = cfg.pools != {};
poolConfigs = (mapAttrs mapPool cfg.pools);
mapPool = n: p: {
phpPackage = p.phpPackage;
phpOptions = p.phpOptions;
userPool = p.user;
groupPool = p.group;
};
fpmCfgFile = pool: conf: pkgs.writeText "phpfpm-${pool}.conf" ''
[global]
error_log = syslog
daemonize = no
${cfg.globalExtraConfig}
[${pool}]
listen = /run/phpfpm-${pool}/${cfg.pools.${pool}.socketName}.sock
${cfg.pools.${pool}.extraConfig}
'';
phpIni = pool: pkgs.runCommand "php.ini" {
inherit (pool) phpPackage phpOptions;
preferLocalBuild = true;
nixDefaults = ''
sendmail_path = "/run/wrappers/bin/sendmail -t -i"
'';
passAsFile = [ "nixDefaults" "phpOptions" ];
} ''
cat $phpPackage/etc/php.ini $nixDefaultsPath $phpOptionsPath > $out
'';
in {
options = {
services.phpfpm = {
globalExtraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Global extra configuration that should be put in the global section of
the PHP-FPM configuration file. Do not specify the options
<literal>error_log</literal> or
<literal>daemonize</literal> here, since they are generated by NixOS.
'';
};
pools = mkOption {
default = {};
type = types.attrsOf (types.submodule {
options = {
socketName = mkOption {
type = types.str;
example = "php-fpm";
description = ''
The address on which to accept FastCGI requests.
'';
};
phpPackage = mkOption {
type = types.package;
default = fpmCfg.phpPackage;
defaultText = "config.services.phpfpm.phpPackage";
description = ''
The PHP package to use for running this PHP-FPM pool.
'';
};
phpOptions = mkOption {
type = types.lines;
default = fpmCfg.phpOptions;
defaultText = "config.services.phpfpm.phpOptions";
description = ''
"Options appended to the PHP configuration file <filename>php.ini</filename> used for this PHP-FPM pool."
'';
};
user = mkOption {
type = types.string;
default = "phpfpm";
description = "User account under which phpfpm runs.";
};
group = mkOption {
type = types.string;
default = "phpfpm";
description = "Group account under which phpfpm runs.";
};
extraConfig = mkOption {
type = types.lines;
example = ''
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
'';
description = ''
Extra lines that go into the pool configuration.
See the documentation on <literal>php-fpm.conf</literal> for
details on configuration directives.
'';
};
};
});
example = literalExample ''
{
mypool = {
socketName = "example";
phpPackage = pkgs.php;
user = "phpfpm";
group = "phpfpm";
extraConfig = '''
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
''';
}
}
'';
description = ''
PHP-FPM pools. If no pools or poolConfigs are defined, the PHP-FPM
service is disabled.
'';
};
};
};
config = mkIf enabled {
systemd.slices.phpfpm = {
description = "PHP FastCGI Process manager pools slice";
};
systemd.targets.phpfpm = {
description = "PHP FastCGI Process manager pools target";
wantedBy = [ "multi-user.target" ];
};
systemd.services = flip mapAttrs' poolConfigs (pool: poolConfig:
nameValuePair "phpfpm-${pool}" {
description = "PHP FastCGI Process Manager service for pool ${pool}";
after = [ "network.target" ];
wantedBy = [ "phpfpm.target" ];
partOf = [ "phpfpm.target" ];
serviceConfig = let
cfgFile = fpmCfgFile pool poolConfig.config;
iniFile = phpIni poolConfig;
in {
Slice = "phpfpm.slice";
PrivateDevices = true;
ProtectSystem = "full";
ProtectHome = true;
# XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
Type = "notify";
ExecStart = "${poolConfig.phpPackage}/bin/php-fpm -y '${cfgFile}' -c '${iniFile}'";
ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
# User and group
User = "${poolConfig.userPool}";
Group = "${poolConfig.groupPool}";
# Runtime directory and mode
RuntimeDirectory = "phpfpm-${pool}";
RuntimeDirectoryMode = "0750";
# Capabilities
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_CHOWN" "CAP_SYS_RESOURCE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_CHOWN" "CAP_SYS_RESOURCE" ];
};
}
);
};
}
|