From 5ef3fdba8903c343a4160b2cc93984122b60303b Mon Sep 17 00:00:00 2001 From: ibizaman Date: Sat, 14 Jan 2023 21:51:11 -0800 Subject: [PATCH] merge config with unit for php-fpm --- all-packages.nix | 13 +-- php-fpm/config.nix | 23 ----- php-fpm/mkconfig.nix | 20 ---- php-fpm/mksiteconfig.nix | 31 ------- php-fpm/mkunit.nix | 26 ------ php-fpm/{siteconfig.nix => php-fpm.nix} | 32 +++---- php/config.nix => php-fpm/php-ini.nix | 34 +++---- php-fpm/unit.nix | 117 +++++++++++++++--------- php/siteconfig.nix | 18 ---- ttrss/mk-normalize-headers.nix | 17 ---- ttrss/normalize-headers.nix | 19 ++-- 11 files changed, 106 insertions(+), 244 deletions(-) delete mode 100644 php-fpm/config.nix delete mode 100644 php-fpm/mkconfig.nix delete mode 100644 php-fpm/mksiteconfig.nix delete mode 100644 php-fpm/mkunit.nix rename php-fpm/{siteconfig.nix => php-fpm.nix} (72%) rename php/config.nix => php-fpm/php-ini.nix (88%) delete mode 100644 php/siteconfig.nix delete mode 100644 ttrss/mk-normalize-headers.nix diff --git a/all-packages.nix b/all-packages.nix index 89a7b39..1525398 100644 --- a/all-packages.nix +++ b/all-packages.nix @@ -21,15 +21,7 @@ let mkNginxService = callPackage ./nginx/unit.nix {inherit utils;}; - PHPConfig = callPackage ./php/config.nix {inherit utils;}; - mkPHPSiteConfig = callPackage ./php/siteconfig.nix {inherit PHPConfig;}; - - PHPFPMConfig = callPackage ./php-fpm/config.nix {inherit utils;}; - mkPHPFPMConfig = callPackage ./php-fpm/mkconfig.nix {inherit PHPFPMConfig;}; - PHPFPMService = callPackage ./php-fpm/unit.nix {inherit utils;}; - mkPHPFPMService = callPackage ./php-fpm/mkunit.nix {inherit PHPFPMService;}; - PHPFPMSiteConfig = callPackage ./php-fpm/siteconfig.nix {inherit utils;}; - mkPHPFPMSiteConfig = callPackage ./php-fpm/mksiteconfig.nix {inherit PHPFPMSiteConfig;}; + mkPHPFPMService = callPackage ./php-fpm/unit.nix {inherit utils;}; mkKeycloakService = callPackage ./keycloak/unit.nix {inherit utils;}; @@ -44,8 +36,7 @@ let mkTtrssUpdateService = callPackage ./ttrss/mkupdate.nix {inherit TtrssUpdateService;}; TtrssUpgradeDBService = callPackage ./ttrss/dbupgrade.nix {}; mkTtrssUpgradeDBService = callPackage ./ttrss/mkdbupgrade.nix {inherit TtrssUpgradeDBService;}; - TtrssPHPNormalizeHeaders = callPackage ./ttrss/normalize-headers.nix {inherit utils;}; - mkTtrssPHPNormalizeHeaders = callPackage ./ttrss/mk-normalize-headers.nix {inherit TtrssPHPNormalizeHeaders;}; + mkTtrssPHPNormalizeHeaders = callPackage ./ttrss/normalize-headers.nix {}; vaultwarden = callPackage ./vaultwarden {inherit utils customPkgs;}; }; diff --git a/php-fpm/config.nix b/php-fpm/config.nix deleted file mode 100644 index 66dc16b..0000000 --- a/php-fpm/config.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ stdenv -, pkgs -, utils -}: -{ configDir ? "/etc/php" -, configFile ? "php-fpm.conf" -, siteConfigDir ? "${configFile}/conf.d" -, logLevel ? "notice" -}: -{ ... # Depends on whatever -}: - -utils.mkConfigFile { - name = configFile; - dir = configDir; - content = '' - [global] - error_log = syslog - syslog.ident = php-fpm - log_level = ${logLevel} - include=${siteConfigDir}/* - ''; -} diff --git a/php-fpm/mkconfig.nix b/php-fpm/mkconfig.nix deleted file mode 100644 index 14ebecb..0000000 --- a/php-fpm/mkconfig.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ PHPFPMConfig -}: -{ name -, configDir -, configFile -, siteConfigDir -, dependsOn ? {} -}: - -{ - inherit name configDir configFile; - inherit siteConfigDir; - - pkg = PHPFPMConfig { - inherit configDir configFile siteConfigDir; - }; - - inherit dependsOn; - type = "fileset"; -} diff --git a/php-fpm/mksiteconfig.nix b/php-fpm/mksiteconfig.nix deleted file mode 100644 index 0852dbd..0000000 --- a/php-fpm/mksiteconfig.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ PHPFPMSiteConfig -}: -{ PHPFPMConfig -, user -, group -, name -, phpConfigDir -, siteName -, siteRoot -, siteSocket -, socketUser -, socketGroup -, dependsOn ? {} -, connectsTo ? {} -}: -rec { - inherit name user group siteSocket; - - pkg = PHPFPMSiteConfig { - inherit (PHPFPMConfig) siteConfigDir; - inherit user group; - inherit siteSocket phpConfigDir socketUser socketGroup; - - service = siteName; - serviceRoot = siteRoot; - allowedClients = "127.0.0.1"; - }; - - inherit dependsOn connectsTo; - type = "fileset"; -} diff --git a/php-fpm/mkunit.nix b/php-fpm/mkunit.nix deleted file mode 100644 index b90c3b5..0000000 --- a/php-fpm/mkunit.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ PHPFPMService -}: -{ name -, configDir -, configFile -, phpIniConfigDir -, phpIniConfigFile -, runtimeDirectory -, serviceSuffix -, dependsOn ? {} -}: - -{ - inherit name configDir configFile; - inherit phpIniConfigDir phpIniConfigFile; - inherit runtimeDirectory; - - pkg = PHPFPMService { - inherit serviceSuffix; - configFile = "${configDir}/${configFile}"; - phpIni = "${phpIniConfigDir}/${phpIniConfigFile}"; - }; - - inherit dependsOn; - type = "systemd-unit"; -} diff --git a/php-fpm/siteconfig.nix b/php-fpm/php-fpm.nix similarity index 72% rename from php-fpm/siteconfig.nix rename to php-fpm/php-fpm.nix index e1264bf..54daa83 100644 --- a/php-fpm/siteconfig.nix +++ b/php-fpm/php-fpm.nix @@ -1,11 +1,7 @@ -{ stdenv -, pkgs -, utils -}: -{ phpConfigDir -, siteConfigDir -, service -, serviceRoot ? "/usr/share/webapps/${service}" +{ pkgs +, siteName +, logLevel ? "notice" +, siteRoot ? "/usr/share/webapps/${siteName}" , user , group , siteSocket @@ -18,16 +14,13 @@ , startServers ? 2 , minSpareServers ? 1 , maxSpareServers ? 3 -}: -{ ... # Depends on whatever -}: +}: pkgs.writeText "php-fpm-${siteName}.conf" '' +[global] + error_log = syslog + syslog.ident = php-fpm + log_level = ${logLevel} -utils.mkConfigFile { - name = "${service}.conf"; - dir = siteConfigDir; - content = '' - [${service}] - +[${siteName}] user = ${user} group = ${group} listen = ${siteSocket} @@ -38,7 +31,7 @@ utils.mkConfigFile { env[PATH] = /usr/local/bin:/usr/bin:/bin env[TMP] = /tmp - chdir = ${serviceRoot} + chdir = ${siteRoot} pm = dynamic @@ -50,5 +43,4 @@ utils.mkConfigFile { catch_workers_output = yes pm.status_path = ${statusPath} - ''; -} +'' diff --git a/php/config.nix b/php-fpm/php-ini.nix similarity index 88% rename from php/config.nix rename to php-fpm/php-ini.nix index f36a945..2571701 100644 --- a/php/config.nix +++ b/php-fpm/php-ini.nix @@ -1,18 +1,9 @@ -{ stdenv +{ lib , pkgs -, lib -, utils -}: -{ configDir ? "/etc/php" -, configFile ? "php.ini" + +, siteName , prependFile ? null -}: -{ ... # Depends on whatever -}: - -let - - extensions = [ +, extensions ? [ # "bcmath" # "curl" # "gd" @@ -27,22 +18,20 @@ let # "soap" # "sqlite3" # "zip" - ]; - - zend_extensions = [ +] +, zend_extensions ? [ # "opcache" - ]; +] +}: +let concatWithPrefix = prefix: content: lib.strings.concatMapStrings (x: prefix + x + "\n") content; in -utils.mkConfigFile { - name = configFile; - dir = configDir; - content = '' +pkgs.writeText "php-${siteName}.ini" '' [PHP] engine = On short_open_tag = Off @@ -103,5 +92,4 @@ utils.mkConfigFile { ; opcache.memory_consumption=128 ; opcache.interned_strings_buffer=16 ; opcache.max_accelerated_files=20000 - ''; -} +'' diff --git a/php-fpm/unit.nix b/php-fpm/unit.nix index 7a7d852..e77e060 100644 --- a/php-fpm/unit.nix +++ b/php-fpm/unit.nix @@ -2,52 +2,85 @@ , pkgs , utils }: -{ serviceSuffix -, configFile ? "/etc/php/php-fpm.conf" -, phpIni ? "/etc/php/php.ini" +{ name +, siteName +, user +, group +, socketUser +, socketGroup +, runtimeDirectory ? "/run/${siteName}" +, phpIniConfig ? {} +, siteConfig ? {} +, extensions ? [] +, zend_extensions ? [] + +, dependsOn ? {} }: -{...}: +let + phpIniFile = pkgs.callPackage (import ./php-ini.nix) { + inherit siteName; + inherit extensions zend_extensions; + } // phpIniConfig; + + siteSocket = "${runtimeDirectory}/${siteName}.sock"; + + siteConfigFile = pkgs.callPackage (import ./php-fpm.nix) { + inherit siteName; + inherit user group; + inherit siteSocket socketUser socketGroup; + } // siteConfig; +in # This service runs as root, each pool runs as a user. +{ + inherit name; + inherit user group; + inherit socketUser socketGroup; -utils.systemd.mkService rec { - name = "php-fpm-${serviceSuffix}"; + inherit siteSocket; - content = '' - [Unit] - Description=The PHP FastCGI Process Manager - After=network.target - - [Service] - Type=notify - PIDFile=/run/${serviceSuffix}/php-fpm.pid - ExecStart=${pkgs.php}/bin/php-fpm --nodaemonize --fpm-config ${configFile} --php-ini ${phpIni} - ExecReload=/bin/kill -USR2 $MAINPID + pkg = utils.systemd.mkService rec { + name = "php-fpm-${siteName}"; - # Keeping this around to avoid uncommenting them. These directories - # are handled through tmpfiles.d. - # - # RuntimeDirectory=${serviceSuffix} - # StateDirectory=${serviceSuffix} - - LockPersonality=true - NoNewPrivileges=true - PrivateDevices=true - PrivateTmp=true - ProtectClock=true - ProtectControlGroups=true - ProtectHome=true - ProtectHostname=true - ProtectKernelLogs=true - ProtectKernelModules=true - ProtectKernelTunables=true - ProtectSystem=full - RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX - RestrictNamespaces=true - RestrictRealtime=true - RestrictSUIDSGID=true - - [Install] - WantedBy=multi-user.target - ''; + content = '' + [Unit] + Description=The PHP FastCGI Process Manager + After=network.target + + [Service] + Type=notify + PIDFile=/run/${siteName}/php-fpm.pid + ExecStart=${pkgs.php}/bin/php-fpm --nodaemonize --fpm-config ${siteConfigFile} --php-ini ${phpIniFile} + ExecReload=/bin/kill -USR2 $MAINPID + + # Keeping this around to avoid uncommenting them. These directories + # are handled through tmpfiles.d. + # + # RuntimeDirectory=${siteName} + # StateDirectory=${siteName} + + LockPersonality=true + NoNewPrivileges=true + PrivateDevices=true + PrivateTmp=true + ProtectClock=true + ProtectControlGroups=true + ProtectHome=true + ProtectHostname=true + ProtectKernelLogs=true + ProtectKernelModules=true + ProtectKernelTunables=true + ProtectSystem=full + RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX + RestrictNamespaces=true + RestrictRealtime=true + RestrictSUIDSGID=true + + [Install] + WantedBy=multi-user.target + ''; + }; + + inherit dependsOn; + type = "systemd-unit"; } diff --git a/php/siteconfig.nix b/php/siteconfig.nix deleted file mode 100644 index 3ff0cfe..0000000 --- a/php/siteconfig.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ PHPConfig -}: -{ name -, configDir -, configFile -, pkgExtraArguments ? {} -, dependsOn ? {} -}: -rec { - inherit name configDir configFile; - inherit dependsOn; - - pkg = PHPConfig ({ - inherit configDir configFile; - } // pkgExtraArguments); - - type = "fileset"; -} diff --git a/ttrss/mk-normalize-headers.nix b/ttrss/mk-normalize-headers.nix deleted file mode 100644 index 81d3f20..0000000 --- a/ttrss/mk-normalize-headers.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ TtrssPHPNormalizeHeaders -}: -{ name -, configDir ? "/etc/php" -, configFile ? "normalize-headers.php" - -, debug ? false -}: -rec { - inherit name configDir configFile; - - pkg = TtrssPHPNormalizeHeaders { - inherit configDir configFile; - inherit debug; - }; - type = "fileset"; -} diff --git a/ttrss/normalize-headers.nix b/ttrss/normalize-headers.nix index c6fe112..89503a8 100644 --- a/ttrss/normalize-headers.nix +++ b/ttrss/normalize-headers.nix @@ -1,17 +1,9 @@ -{ stdenv -, pkgs -, utils +{ pkgs }: -{ configDir ? "/etc/php" -, configFile ? "normalize-headers.php" - -, debug ? false +{ debug ? false }: -utils.mkConfigFile { - name = configFile; - dir = configDir; - content = '' +pkgs.writeText "normalize-headers.php" (''