aboutsummaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorIgor Pashev <pashev.igor@gmail.com>2017-02-01 20:11:38 +0300
committerIgor Pashev <pashev.igor@gmail.com>2017-02-01 21:00:44 +0300
commit809a35ba85df0a202d26d9ee8cfa474c7eecdf99 (patch)
tree4e72d07fabf4d8bbcd1c731dc54a7745bc88db92 /modules
parent092d712689eec989003ec23f5ac19da9134acea4 (diff)
downloadnixsap-809a35ba85df0a202d26d9ee8cfa474c7eecdf99.tar.gz
php-fpm: make use of home directory
Potentially breaking, these options are removed: pool.user, pool.listen.owner, pool.listen.mode. Since socket owner cannot be set now, nginx needs to belong to the appropriate PHP-FPM group.
Diffstat (limited to 'modules')
-rw-r--r--modules/apps/icingaweb2.nix5
-rw-r--r--modules/apps/mediawiki/default.nix15
-rw-r--r--modules/apps/php-fpm.nix54
3 files changed, 52 insertions, 22 deletions
diff --git a/modules/apps/icingaweb2.nix b/modules/apps/icingaweb2.nix
index 852c546..fad0509 100644
--- a/modules/apps/icingaweb2.nix
+++ b/modules/apps/icingaweb2.nix
@@ -161,7 +161,6 @@ let
));
defaultPool = {
- listen.owner = config.nixsap.apps.nginx.user;
pm.max_children = 10;
pm.max_requests = 1000;
pm.max_spare_servers = 5;
@@ -363,11 +362,13 @@ in {
config = mkIf cfg.enable {
nixsap.deployment.keyrings.root = keys;
+ users.users.${config.nixsap.apps.nginx.user}.extraGroups = [ cfg.user ];
users.users.icingaweb2.extraGroups = mkIf localIcinga [ config.nixsap.apps.icinga2.commandGroup ];
nixsap.apps.php-fpm.icingaweb2 = mkOverride 0 {
+ inherit (cfg) user;
inherit (cfg.php-fpm) package;
- pool = recursiveUpdate defaultPool (cfg.php-fpm.pool // { user = cfg.user ;});
+ pool = recursiveUpdate defaultPool cfg.php-fpm.pool;
};
nixsap.apps.nginx.conf.http.servers.icingaweb2 = ''
diff --git a/modules/apps/mediawiki/default.nix b/modules/apps/mediawiki/default.nix
index 2988f07..07dc6e9 100644
--- a/modules/apps/mediawiki/default.nix
+++ b/modules/apps/mediawiki/default.nix
@@ -14,11 +14,10 @@ let
attrNames elem isAttrs isBool isList isString ;
cfg = config.nixsap.apps.mediawiki;
- user = config.nixsap.apps.mediawiki.user;
+ user = cfg.user;
php = cfg.php-fpm.package;
defaultPool = {
- listen.owner = config.nixsap.apps.nginx.user;
pm.max_children = 10;
pm.max_requests = 1000;
pm.max_spare_servers = 5;
@@ -163,7 +162,7 @@ let
}
chmod -Rc u=rwX,g=rX,o= '${cfg.localSettings.wgUploadDirectory}'
- chown -Rc '${user}:${user}' '${cfg.localSettings.wgUploadDirectory}'
+ chown -Rc '${cfg.user}:${cfg.user}' '${cfg.localSettings.wgUploadDirectory}'
'';
nginx = ''
@@ -295,13 +294,13 @@ in {
};
config = mkIf cfg.enable {
- nixsap.deployment.keyrings.${user} = keys;
- users.users.${config.nixsap.apps.nginx.user}.extraGroups =
- mkIf cfg.localSettings.wgEnableUploads [ user ];
+ nixsap.deployment.keyrings.${cfg.user} = keys;
+ users.users.${config.nixsap.apps.nginx.user}.extraGroups = [ cfg.user ];
nixsap.apps.php-fpm.mediawiki = mkOverride 0 {
+ inherit (cfg) user;
inherit (cfg.php-fpm) package;
- pool = recursiveUpdate defaultPool (cfg.php-fpm.pool // { user = cfg.user ;});
+ pool = recursiveUpdate defaultPool cfg.php-fpm.pool;
};
nixsap.apps.nginx.conf.http.servers.mediawiki = nginx;
@@ -314,7 +313,7 @@ in {
serviceConfig = {
RemainAfterExit = true;
Type = "oneshot";
- User = config.nixsap.apps.php-fpm.mediawiki.pool.user;
+ User = cfg.user;
ExecStart = "${mediawiki-db}/bin/mediawiki-db";
};
};
diff --git a/modules/apps/php-fpm.nix b/modules/apps/php-fpm.nix
index 6486975..ed90c1a 100644
--- a/modules/apps/php-fpm.nix
+++ b/modules/apps/php-fpm.nix
@@ -14,14 +14,14 @@ let
explicit = filterAttrs (n: v: n != "_module" && v != null);
concatNonEmpty = sep: list: concatStringsSep sep (filter (s: s != "") list);
- attrs = opts: submodule { options = opts; };
default = d: t: mkOption { type = t; default = d; };
+ readonly = d: t: mkOption { type = t; default = d; readOnly = true; };
mandatory = t: mkOption { type = t; };
optional = t: mkOption { type = nullOr t; default = null; };
instances = explicit (config.nixsap.apps.php-fpm);
- users = mapAttrsToList (_: v: v.pool.user) instances;
+ users = mapAttrsToList (_: v: v.user) instances;
mkService = name: cfg:
let
@@ -52,6 +52,7 @@ let
${concatNonEmpty "\n" (mapAttrsToList mkGlobal (explicit cfg.global))}
[pool]
+ listen.mode = 0660
${concatNonEmpty "\n" (mapAttrsToList mkPool (explicit cfg.pool))}
'';
exec = "${cfg.package}/bin/php-fpm --fpm-config ${conf} "
@@ -63,9 +64,17 @@ let
description = "PHP FastCGI Process Manager (${name})";
after = [ "local-fs.target" ];
wantedBy = [ "multi-user.target" ];
+ preStart = ''
+ mkdir -p -- '${cfg.home}' '${cfg.logDir}'
+ rm -f -- '${cfg.pool.listen.socket}'
+ chown -Rc '${cfg.user}:${cfg.user}' -- '${cfg.home}'
+ chmod -Rc u=rwX,g=rX,o= -- '${cfg.home}'
+ '';
serviceConfig = {
ExecStart = exec;
+ PermissionsStartOnly = true;
Restart = "always";
+ User = cfg.user;
};
};
};
@@ -75,22 +84,47 @@ in {
options.nixsap.apps.php-fpm = default {}
(attrsOf (submodule( { config, name, ... }: {
options = {
- package = default pkgs.php package;
- php-ini = optional path;
+ home = mkOption {
+ description = "Directory with logs and the socket";
+ type = path;
+ default = "/php-fpm/${name}";
+ };
+ logDir = mkOption {
+ description = "Directory with logs. This is convenient read-only option";
+ type = path;
+ readOnly = true;
+ default = "${config.home}/log";
+ };
+ user = mkOption {
+ description = "User to run as";
+ type = str;
+ default = "php-fpm-${name}";
+ };
+ package = mkOption {
+ description = "PHP package to use FPM from";
+ type = package;
+ default = pkgs.php;
+ };
+ php-ini = mkOption {
+ description = "php.ini file to pass to php-fpm";
+ type = nullOr path;
+ default = null;
+ };
+
global = {
emergency_restart_interval = optional int;
emergency_restart_threshold = optional int;
- error_log = default "/var/log/php-fpm-${name}.log" path;
+ error_log = readonly "${config.logDir}/error.log" path;
log_level = optional (enum ["alert" "error" "warning" "notice" "debug"]);
process_control_timeout = optional int;
rlimit_core = optional int;
rlimit_files = optional int;
- process = optional (attrs {
+ process = {
max = optional int;
priority = optional int;
- });
+ };
};
pool = {
@@ -105,14 +139,10 @@ in {
request_terminate_timeout = optional int;
rlimit_core = optional int;
rlimit_files = optional int;
- user = default "php-fpm-${name}" str;
listen = {
acl_groups = optional str;
backlog = optional int;
- group = optional str;
- mode = optional str;
- owner = default config.pool.user str;
- socket = default "/run/php-fpm-${name}.sock" path;
+ socket = readonly "${config.home}/sock" path;
};
pm = {
max_children = mandatory int;