phpfpm service: one service per pool for isolation

This commit is contained in:
Franz Pletz 2017-01-25 23:21:33 +01:00
parent 81b43ccd57
commit e3d58dae7f
No known key found for this signature in database
GPG Key ID: 846FDED7792617B4

View File

@ -7,21 +7,21 @@ let
stateDir = "/run/phpfpm";
poolConfigs = cfg.poolConfigs // mapAttrs mkPool cfg.pools;
mkPool = n: p: ''
[${n}]
listen = ${p.listen}
${p.extraConfig}
'';
cfgFile = pkgs.writeText "phpfpm.conf" ''
fpmCfgFile = pool: poolConfig: pkgs.writeText "phpfpm-${pool}.conf" ''
[global]
error_log = syslog
daemonize = no
${cfg.extraConfig}
${concatStringsSep "\n" (mapAttrsToList mkPool cfg.pools)}
${concatStringsSep "\n" (mapAttrsToList (n: v: "[${n}]\n${v}") cfg.poolConfigs)}
[${pool}]
${poolConfig}
'';
phpIni = pkgs.runCommand "php.ini" {
@ -119,18 +119,29 @@ in {
};
};
config = mkIf (cfg.pools != {} || cfg.poolConfigs != {}) {
systemd.services.phpfpm = {
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p "${stateDir}"
'';
serviceConfig = {
Type = "notify";
ExecStart = "${cfg.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${phpIni}";
ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
};
};
config = {
systemd.services = flip mapAttrs' poolConfigs (pool: poolConfig:
nameValuePair "phpfpm-${pool}" {
description = "PHP FastCGI Process Manager for pool ${pool}";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p ${stateDir}
'';
serviceConfig = let
cfgFile = fpmCfgFile pool poolConfig;
in {
PrivateTmp = true;
PrivateDevices = true;
ProtectSystem = "full";
ProtectHome = true;
NoNewPrivileges = true;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
Type = "notify";
ExecStart = "${cfg.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${phpIni}";
ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
};
}
);
};
}