summaryrefslogtreecommitdiff
path: root/sys/web/php-fpm.nix
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--sys/web/php-fpm.nix252
1 files changed, 127 insertions, 125 deletions
diff --git a/sys/web/php-fpm.nix b/sys/web/php-fpm.nix
index 65276ba..33efe1a 100644
--- a/sys/web/php-fpm.nix
+++ b/sys/web/php-fpm.nix
@@ -2,151 +2,153 @@
# See also:
# - <https://albert.cx/20181125-use-separate-systemd-units-for-php-fpm-pools>
# - <https://freedesktop.org/wiki/Software/systemd/DaemonSocketActivation/>
-
-{ config, lib, pkgs, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
with lib; let
cfg = config.services.php-fpm-isolated;
- configFile = { pool, poolOpts, runtimeDir, sockFile, pidFile }:
- let
- config = {
- global = {
- daemonize = false;
- error_log = "syslog";
- pid = pidFile;
- };
+ configFile = {
+ pool,
+ poolOpts,
+ runtimeDir,
+ sockFile,
+ pidFile,
+ }: let
+ config = {
+ global = {
+ daemonize = false;
+ error_log = "syslog";
+ pid = pidFile;
+ };
- "${pool}" =
- let
- enforced = {
- inherit (poolOpts) user group;
- listen = sockFile;
- };
+ "${pool}" = let
+ enforced = {
+ inherit (poolOpts) user group;
+ listen = sockFile;
+ };
- defaults = {
- "pm" = "dynamic";
- "pm.max_children" = 16;
- "pm.min_spare_servers" = 1;
- "pm.max_spare_servers" = 4;
- "pm.start_servers" = 1;
- "catch_workers_output" = true;
- "php_admin_flag[log_errors]" = true;
- "env[PATH]" = makeBinPath [ pkgs.php ];
- };
+ defaults = {
+ "pm" = "dynamic";
+ "pm.max_children" = 16;
+ "pm.min_spare_servers" = 1;
+ "pm.max_spare_servers" = 4;
+ "pm.start_servers" = 1;
+ "catch_workers_output" = true;
+ "php_admin_flag[log_errors]" = true;
+ "env[PATH]" = makeBinPath [pkgs.php];
+ };
- env = mapAttrs'
- (name: value: {
- name = "env[${name}]";
- value = "\"${escape [ "\"" ] value}\"";
- })
- poolOpts.env;
- in
- defaults // poolOpts.config // env // enforced;
- };
- in
- (pkgs.formats.ini { }).generate "php-fpm-pool-${pool}.conf" config;
-in
-{
+ env =
+ mapAttrs'
+ (name: value: {
+ name = "env[${name}]";
+ value = "\"${escape ["\""] value}\"";
+ })
+ poolOpts.env;
+ in
+ defaults // poolOpts.config // env // enforced;
+ };
+ in
+ (pkgs.formats.ini {}).generate "php-fpm-pool-${pool}.conf" config;
+in {
options.services.php-fpm-isolated.pools = mkOption {
- default = { };
+ default = {};
- type = with types; attrsOf (submodule {
- options = {
- enable = mkEnableOption "PHP-FPM pool";
+ type = with types;
+ attrsOf (submodule {
+ options = {
+ enable = mkEnableOption "PHP-FPM pool";
- user = mkOption {
- type = str;
- };
+ user = mkOption {
+ type = str;
+ };
- group = mkOption {
- type = str;
- };
+ group = mkOption {
+ type = str;
+ };
- unveil = mkOption {
- type = listOf (either package str);
- };
+ unveil = mkOption {
+ type = listOf (either package str);
+ };
- env = mkOption {
- type = attrsOf str;
- default = { };
- };
+ env = mkOption {
+ type = attrsOf str;
+ default = {};
+ };
- config = mkOption {
- type = attrsOf (oneOf [ int str bool ]);
- default = { };
+ config = mkOption {
+ type = attrsOf (oneOf [int str bool]);
+ default = {};
+ };
};
- };
- });
+ });
};
- config.systemd =
- let
- php-fpm = "${pkgs.php}/bin/php-fpm";
-
- unitsFor = pool: poolOpts:
- let
- runtimeBase = "php-fpm-isolated/${pool}";
- runtimeDir = "/run/${runtimeBase}";
- pidFile = "${runtimeDir}/${pool}.pid";
- sockFile = "${runtimeDir}/${pool}.sock";
- in
- {
- name = "php-fpm-pool-${pool}";
-
- value.service = {
- description = "PHP-FPM process manager for pool '${pool}'";
- after = [ "network.target" ];
-
- confinement.enable = true;
-
- serviceConfig = {
- Type = "notify";
- ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
- PIDFile = pidFile;
-
- Environment = "FPM_SOCKETS=${sockFile}=3";
-
- ExecStart =
- let
- fpmConfig = configFile {
- inherit pool poolOpts runtimeDir sockFile pidFile;
- };
- in
- "${php-fpm} --nodaemonize --fpm-config ${fpmConfig} --pid ${pidFile}";
-
- PrivateTmp = true;
- PrivateNetwork = true;
- PrivateDevices = true;
- # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work
- RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
-
- User = poolOpts.user;
- Group = poolOpts.group;
- RuntimeDirectory = runtimeBase;
-
- BindReadOnlyPaths =
- let
- unveiled = map builtins.toString poolOpts.unveil;
- in
- [ "/run/systemd/journal/socket" ] ++ unveiled;
- };
- };
+ config.systemd = let
+ php-fpm = "${pkgs.php}/bin/php-fpm";
+
+ unitsFor = pool: poolOpts: let
+ runtimeBase = "php-fpm-isolated/${pool}";
+ runtimeDir = "/run/${runtimeBase}";
+ pidFile = "${runtimeDir}/${pool}.pid";
+ sockFile = "${runtimeDir}/${pool}.sock";
+ in {
+ name = "php-fpm-pool-${pool}";
- value.socket = {
- description = "PHP-FPM socket for pool '${pool}'";
- listenStreams = [ sockFile ];
+ value.service = {
+ description = "PHP-FPM process manager for pool '${pool}'";
+ after = ["network.target"];
- socketConfig = {
- User = poolOpts.user;
- Group = poolOpts.group;
+ confinement.enable = true;
+
+ serviceConfig = {
+ Type = "notify";
+ ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
+ PIDFile = pidFile;
+
+ Environment = "FPM_SOCKETS=${sockFile}=3";
+
+ ExecStart = let
+ fpmConfig = configFile {
+ inherit pool poolOpts runtimeDir sockFile pidFile;
};
- };
+ in "${php-fpm} --nodaemonize --fpm-config ${fpmConfig} --pid ${pidFile}";
+
+ PrivateTmp = true;
+ PrivateNetwork = true;
+ PrivateDevices = true;
+ # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work
+ RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
+
+ User = poolOpts.user;
+ Group = poolOpts.group;
+ RuntimeDirectory = runtimeBase;
+
+ BindReadOnlyPaths = let
+ unveiled = map builtins.toString poolOpts.unveil;
+ in
+ ["/run/systemd/journal/socket"] ++ unveiled;
};
+ };
+
+ value.socket = {
+ description = "PHP-FPM socket for pool '${pool}'";
+ listenStreams = [sockFile];
- units = mapAttrs' unitsFor (filterAttrs (_: pool: pool.enable) cfg.pools);
- in
- {
- sockets = mapAttrs (_: unit: unit.socket) units;
- services = mapAttrs (_: unit: unit.service) units;
+ socketConfig = {
+ User = poolOpts.user;
+ Group = poolOpts.group;
+ };
+ };
};
+
+ units = mapAttrs' unitsFor (filterAttrs (_: pool: pool.enable) cfg.pools);
+ in {
+ sockets = mapAttrs (_: unit: unit.socket) units;
+ services = mapAttrs (_: unit: unit.service) units;
+ };
}
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-10 11:31:19 +0000