1
0
Fork 0
selfhostblocks/php-fpm/unit.nix

87 lines
1.9 KiB
Nix
Raw Normal View History

2022-09-09 23:15:03 -07:00
{ stdenv
, pkgs
, utils
}:
2023-01-14 21:51:11 -08:00
{ name
, siteName
, user
, group
, socketUser
, socketGroup
, runtimeDirectory ? "/run/${siteName}"
, phpIniConfig ? {}
, siteConfig ? {}
, extensions ? []
, zend_extensions ? []
, dependsOn ? {}
2022-09-09 23:15:03 -07:00
}:
2023-01-14 21:51:11 -08:00
let
phpIniFile = pkgs.callPackage (import ./php-ini.nix) {
inherit siteName;
inherit extensions zend_extensions;
} // phpIniConfig;
siteSocket = "${runtimeDirectory}/${siteName}.sock";
siteConfigFile = pkgs.callPackage (import ./php-fpm.nix) {
inherit siteName;
inherit user group;
inherit siteSocket socketUser socketGroup;
} // siteConfig;
in
2022-09-28 23:37:24 -07:00
# This service runs as root, each pool runs as a user.
2023-01-14 21:51:11 -08:00
{
inherit name;
inherit user group;
inherit socketUser socketGroup;
inherit siteSocket;
pkg = utils.systemd.mkService rec {
name = "php-fpm-${siteName}";
content = ''
[Unit]
Description=The PHP FastCGI Process Manager
After=network.target
[Service]
Type=notify
PIDFile=/run/${siteName}/php-fpm.pid
ExecStart=${pkgs.php}/bin/php-fpm --nodaemonize --fpm-config ${siteConfigFile} --php-ini ${phpIniFile}
ExecReload=/bin/kill -USR2 $MAINPID
# Keeping this around to avoid uncommenting them. These directories
# are handled through tmpfiles.d.
#
# RuntimeDirectory=${siteName}
# StateDirectory=${siteName}
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
[Install]
WantedBy=multi-user.target
'';
};
2022-09-28 23:37:24 -07:00
2023-01-14 21:51:11 -08:00
inherit dependsOn;
type = "systemd-unit";
2022-09-09 23:15:03 -07:00
}