diff options
author | Igor Pashev <pashev.igor@gmail.com> | 2017-02-01 20:11:38 +0300 |
---|---|---|
committer | Igor Pashev <pashev.igor@gmail.com> | 2017-02-01 21:00:44 +0300 |
commit | 809a35ba85df0a202d26d9ee8cfa474c7eecdf99 (patch) | |
tree | 4e72d07fabf4d8bbcd1c731dc54a7745bc88db92 /modules | |
parent | 092d712689eec989003ec23f5ac19da9134acea4 (diff) | |
download | nixsap-809a35ba85df0a202d26d9ee8cfa474c7eecdf99.tar.gz |
php-fpm: make use of home directory
Potentially breaking, these options are removed:
pool.user, pool.listen.owner, pool.listen.mode.
Since socket owner cannot be set now,
nginx needs to belong to the appropriate PHP-FPM group.
Diffstat (limited to 'modules')
-rw-r--r-- | modules/apps/icingaweb2.nix | 5 | ||||
-rw-r--r-- | modules/apps/mediawiki/default.nix | 15 | ||||
-rw-r--r-- | modules/apps/php-fpm.nix | 54 |
3 files changed, 52 insertions, 22 deletions
diff --git a/modules/apps/icingaweb2.nix b/modules/apps/icingaweb2.nix index 852c546..fad0509 100644 --- a/modules/apps/icingaweb2.nix +++ b/modules/apps/icingaweb2.nix @@ -161,7 +161,6 @@ let )); defaultPool = { - listen.owner = config.nixsap.apps.nginx.user; pm.max_children = 10; pm.max_requests = 1000; pm.max_spare_servers = 5; @@ -363,11 +362,13 @@ in { config = mkIf cfg.enable { nixsap.deployment.keyrings.root = keys; + users.users.${config.nixsap.apps.nginx.user}.extraGroups = [ cfg.user ]; users.users.icingaweb2.extraGroups = mkIf localIcinga [ config.nixsap.apps.icinga2.commandGroup ]; nixsap.apps.php-fpm.icingaweb2 = mkOverride 0 { + inherit (cfg) user; inherit (cfg.php-fpm) package; - pool = recursiveUpdate defaultPool (cfg.php-fpm.pool // { user = cfg.user ;}); + pool = recursiveUpdate defaultPool cfg.php-fpm.pool; }; nixsap.apps.nginx.conf.http.servers.icingaweb2 = '' diff --git a/modules/apps/mediawiki/default.nix b/modules/apps/mediawiki/default.nix index 2988f07..07dc6e9 100644 --- a/modules/apps/mediawiki/default.nix +++ b/modules/apps/mediawiki/default.nix @@ -14,11 +14,10 @@ let attrNames elem isAttrs isBool isList isString ; cfg = config.nixsap.apps.mediawiki; - user = config.nixsap.apps.mediawiki.user; + user = cfg.user; php = cfg.php-fpm.package; defaultPool = { - listen.owner = config.nixsap.apps.nginx.user; pm.max_children = 10; pm.max_requests = 1000; pm.max_spare_servers = 5; @@ -163,7 +162,7 @@ let } chmod -Rc u=rwX,g=rX,o= '${cfg.localSettings.wgUploadDirectory}' - chown -Rc '${user}:${user}' '${cfg.localSettings.wgUploadDirectory}' + chown -Rc '${cfg.user}:${cfg.user}' '${cfg.localSettings.wgUploadDirectory}' ''; nginx = '' @@ -295,13 +294,13 @@ in { }; config = mkIf cfg.enable { - nixsap.deployment.keyrings.${user} = keys; - users.users.${config.nixsap.apps.nginx.user}.extraGroups = - mkIf cfg.localSettings.wgEnableUploads [ user ]; + nixsap.deployment.keyrings.${cfg.user} = keys; + users.users.${config.nixsap.apps.nginx.user}.extraGroups = [ cfg.user ]; nixsap.apps.php-fpm.mediawiki = mkOverride 0 { + inherit (cfg) user; inherit (cfg.php-fpm) package; - pool = recursiveUpdate defaultPool (cfg.php-fpm.pool // { user = cfg.user ;}); + pool = recursiveUpdate defaultPool cfg.php-fpm.pool; }; nixsap.apps.nginx.conf.http.servers.mediawiki = nginx; @@ -314,7 +313,7 @@ in { serviceConfig = { RemainAfterExit = true; Type = "oneshot"; - User = config.nixsap.apps.php-fpm.mediawiki.pool.user; + User = cfg.user; ExecStart = "${mediawiki-db}/bin/mediawiki-db"; }; }; diff --git a/modules/apps/php-fpm.nix b/modules/apps/php-fpm.nix index 6486975..ed90c1a 100644 --- a/modules/apps/php-fpm.nix +++ b/modules/apps/php-fpm.nix @@ -14,14 +14,14 @@ let explicit = filterAttrs (n: v: n != "_module" && v != null); concatNonEmpty = sep: list: concatStringsSep sep (filter (s: s != "") list); - attrs = opts: submodule { options = opts; }; default = d: t: mkOption { type = t; default = d; }; + readonly = d: t: mkOption { type = t; default = d; readOnly = true; }; mandatory = t: mkOption { type = t; }; optional = t: mkOption { type = nullOr t; default = null; }; instances = explicit (config.nixsap.apps.php-fpm); - users = mapAttrsToList (_: v: v.pool.user) instances; + users = mapAttrsToList (_: v: v.user) instances; mkService = name: cfg: let @@ -52,6 +52,7 @@ let ${concatNonEmpty "\n" (mapAttrsToList mkGlobal (explicit cfg.global))} [pool] + listen.mode = 0660 ${concatNonEmpty "\n" (mapAttrsToList mkPool (explicit cfg.pool))} ''; exec = "${cfg.package}/bin/php-fpm --fpm-config ${conf} " @@ -63,9 +64,17 @@ let description = "PHP FastCGI Process Manager (${name})"; after = [ "local-fs.target" ]; wantedBy = [ "multi-user.target" ]; + preStart = '' + mkdir -p -- '${cfg.home}' '${cfg.logDir}' + rm -f -- '${cfg.pool.listen.socket}' + chown -Rc '${cfg.user}:${cfg.user}' -- '${cfg.home}' + chmod -Rc u=rwX,g=rX,o= -- '${cfg.home}' + ''; serviceConfig = { ExecStart = exec; + PermissionsStartOnly = true; Restart = "always"; + User = cfg.user; }; }; }; @@ -75,22 +84,47 @@ in { options.nixsap.apps.php-fpm = default {} (attrsOf (submodule( { config, name, ... }: { options = { - package = default pkgs.php package; - php-ini = optional path; + home = mkOption { + description = "Directory with logs and the socket"; + type = path; + default = "/php-fpm/${name}"; + }; + logDir = mkOption { + description = "Directory with logs. This is convenient read-only option"; + type = path; + readOnly = true; + default = "${config.home}/log"; + }; + user = mkOption { + description = "User to run as"; + type = str; + default = "php-fpm-${name}"; + }; + package = mkOption { + description = "PHP package to use FPM from"; + type = package; + default = pkgs.php; + }; + php-ini = mkOption { + description = "php.ini file to pass to php-fpm"; + type = nullOr path; + default = null; + }; + global = { emergency_restart_interval = optional int; emergency_restart_threshold = optional int; - error_log = default "/var/log/php-fpm-${name}.log" path; + error_log = readonly "${config.logDir}/error.log" path; log_level = optional (enum ["alert" "error" "warning" "notice" "debug"]); process_control_timeout = optional int; rlimit_core = optional int; rlimit_files = optional int; - process = optional (attrs { + process = { max = optional int; priority = optional int; - }); + }; }; pool = { @@ -105,14 +139,10 @@ in { request_terminate_timeout = optional int; rlimit_core = optional int; rlimit_files = optional int; - user = default "php-fpm-${name}" str; listen = { acl_groups = optional str; backlog = optional int; - group = optional str; - mode = optional str; - owner = default config.pool.user str; - socket = default "/run/php-fpm-${name}.sock" path; + socket = readonly "${config.home}/sock" path; }; pm = { max_children = mandatory int; |