diff options
Diffstat (limited to 'sys/web/php-fpm.nix')
| -rw-r--r-- | sys/web/php-fpm.nix | 154 |
1 files changed, 154 insertions, 0 deletions
diff --git a/sys/web/php-fpm.nix b/sys/web/php-fpm.nix new file mode 100644 index 0000000..33efe1a --- /dev/null +++ b/sys/web/php-fpm.nix @@ -0,0 +1,154 @@ +# Based on <https://gist.github.com/aanderse/3344baef2c3b86c8a1e98e63bd9256ea> +# See also: +# - <https://albert.cx/20181125-use-separate-systemd-units-for-php-fpm-pools> +# - <https://freedesktop.org/wiki/Software/systemd/DaemonSocketActivation/> +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.services.php-fpm-isolated; + + configFile = { + pool, + poolOpts, + runtimeDir, + sockFile, + pidFile, + }: let + config = { + global = { + daemonize = false; + error_log = "syslog"; + pid = pidFile; + }; + + "${pool}" = let + enforced = { + inherit (poolOpts) user group; + listen = sockFile; + }; + + defaults = { + "pm" = "dynamic"; + "pm.max_children" = 16; + "pm.min_spare_servers" = 1; + "pm.max_spare_servers" = 4; + "pm.start_servers" = 1; + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + "env[PATH]" = makeBinPath [pkgs.php]; + }; + + env = + mapAttrs' + (name: value: { + name = "env[${name}]"; + value = "\"${escape ["\""] value}\""; + }) + poolOpts.env; + in + defaults // poolOpts.config // env // enforced; + }; + in + (pkgs.formats.ini {}).generate "php-fpm-pool-${pool}.conf" config; +in { + options.services.php-fpm-isolated.pools = mkOption { + default = {}; + + type = with types; + attrsOf (submodule { + options = { + enable = mkEnableOption "PHP-FPM pool"; + + user = mkOption { + type = str; + }; + + group = mkOption { + type = str; + }; + + unveil = mkOption { + type = listOf (either package str); + }; + + env = mkOption { + type = attrsOf str; + default = {}; + }; + + config = mkOption { + type = attrsOf (oneOf [int str bool]); + default = {}; + }; + }; + }); + }; + + config.systemd = let + php-fpm = "${pkgs.php}/bin/php-fpm"; + + unitsFor = pool: poolOpts: let + runtimeBase = "php-fpm-isolated/${pool}"; + runtimeDir = "/run/${runtimeBase}"; + pidFile = "${runtimeDir}/${pool}.pid"; + sockFile = "${runtimeDir}/${pool}.sock"; + in { + name = "php-fpm-pool-${pool}"; + + value.service = { + description = "PHP-FPM process manager for pool '${pool}'"; + after = ["network.target"]; + + confinement.enable = true; + + serviceConfig = { + Type = "notify"; + ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID"; + PIDFile = pidFile; + + Environment = "FPM_SOCKETS=${sockFile}=3"; + + ExecStart = let + fpmConfig = configFile { + inherit pool poolOpts runtimeDir sockFile pidFile; + }; + in "${php-fpm} --nodaemonize --fpm-config ${fpmConfig} --pid ${pidFile}"; + + PrivateTmp = true; + PrivateNetwork = true; + PrivateDevices = true; + # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; + + User = poolOpts.user; + Group = poolOpts.group; + RuntimeDirectory = runtimeBase; + + BindReadOnlyPaths = let + unveiled = map builtins.toString poolOpts.unveil; + in + ["/run/systemd/journal/socket"] ++ unveiled; + }; + }; + + value.socket = { + description = "PHP-FPM socket for pool '${pool}'"; + listenStreams = [sockFile]; + + socketConfig = { + User = poolOpts.user; + Group = poolOpts.group; + }; + }; + }; + + units = mapAttrs' unitsFor (filterAttrs (_: pool: pool.enable) cfg.pools); + in { + sockets = mapAttrs (_: unit: unit.socket) units; + services = mapAttrs (_: unit: unit.service) units; + }; +} |