1
0
Fork 0
selfhostblocks/php-fpm/unit.nix

54 lines
1.2 KiB
Nix
Raw Normal View History

2022-09-09 23:15:03 -07:00
{ stdenv
, pkgs
, utils
}:
2022-09-28 23:37:24 -07:00
{ serviceSuffix
2022-09-14 20:46:14 -07:00
, configFile ? "/etc/php/php-fpm.conf"
, phpIni ? "/etc/php/php.ini"
2022-09-09 23:15:03 -07:00
}:
{...}:
2022-09-28 23:37:24 -07:00
# This service runs as root, each pool runs as a user.
2022-09-09 23:15:03 -07:00
utils.systemd.mkService rec {
2022-09-28 23:37:24 -07:00
name = "php-fpm-${serviceSuffix}";
2022-09-09 23:15:03 -07:00
content = ''
[Unit]
Description=The PHP FastCGI Process Manager
After=network.target
[Service]
Type=notify
2022-09-28 23:37:24 -07:00
PIDFile=/run/${serviceSuffix}/php-fpm.pid
2022-09-14 20:46:14 -07:00
ExecStart=${pkgs.php}/bin/php-fpm --nodaemonize --fpm-config ${configFile} --php-ini ${phpIni}
2022-09-09 23:15:03 -07:00
ExecReload=/bin/kill -USR2 $MAINPID
2022-09-28 23:37:24 -07:00
# Keeping this around to avoid uncommenting them. These directories
# are handled through tmpfiles.d.
#
# RuntimeDirectory=${serviceSuffix}
# StateDirectory=${serviceSuffix}
2022-09-09 23:15:03 -07:00
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
[Install]
WantedBy=multi-user.target
'';
}