hosting/selfhostblocks
1
0
Fork 0
Code Issues Activity

merge config with unit for php-fpm

Browse source
This commit is contained in:
ibizaman 2023-01-14 21:51:11 -08:00
parent ba6f27b47c
commit 5ef3fdba89
11 changed files with 106 additions and 244 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
all-packages.nix
View file

@ -21,15 +21,7 @@ let
mkNginxService = callPackage ./nginx/unit.nix {inherit utils;}; mkNginxService = callPackage ./nginx/unit.nix {inherit utils;};
PHPConfig = callPackage ./php/config.nix {inherit utils;}; mkPHPFPMService = callPackage ./php-fpm/unit.nix {inherit utils;};
mkPHPSiteConfig = callPackage ./php/siteconfig.nix {inherit PHPConfig;};
PHPFPMConfig = callPackage ./php-fpm/config.nix {inherit utils;};
mkPHPFPMConfig = callPackage ./php-fpm/mkconfig.nix {inherit PHPFPMConfig;};
PHPFPMService = callPackage ./php-fpm/unit.nix {inherit utils;};
mkPHPFPMService = callPackage ./php-fpm/mkunit.nix {inherit PHPFPMService;};
PHPFPMSiteConfig = callPackage ./php-fpm/siteconfig.nix {inherit utils;};
mkPHPFPMSiteConfig = callPackage ./php-fpm/mksiteconfig.nix {inherit PHPFPMSiteConfig;};
mkKeycloakService = callPackage ./keycloak/unit.nix {inherit utils;}; mkKeycloakService = callPackage ./keycloak/unit.nix {inherit utils;};
@ -44,8 +36,7 @@ let
mkTtrssUpdateService = callPackage ./ttrss/mkupdate.nix {inherit TtrssUpdateService;}; mkTtrssUpdateService = callPackage ./ttrss/mkupdate.nix {inherit TtrssUpdateService;};
TtrssUpgradeDBService = callPackage ./ttrss/dbupgrade.nix {}; TtrssUpgradeDBService = callPackage ./ttrss/dbupgrade.nix {};
mkTtrssUpgradeDBService = callPackage ./ttrss/mkdbupgrade.nix {inherit TtrssUpgradeDBService;}; mkTtrssUpgradeDBService = callPackage ./ttrss/mkdbupgrade.nix {inherit TtrssUpgradeDBService;};
TtrssPHPNormalizeHeaders = callPackage ./ttrss/normalize-headers.nix {inherit utils;}; mkTtrssPHPNormalizeHeaders = callPackage ./ttrss/normalize-headers.nix {};
mkTtrssPHPNormalizeHeaders = callPackage ./ttrss/mk-normalize-headers.nix {inherit TtrssPHPNormalizeHeaders;};
vaultwarden = callPackage ./vaultwarden {inherit utils customPkgs;}; vaultwarden = callPackage ./vaultwarden {inherit utils customPkgs;};
}; };

23
php-fpm/config.nix
View file

@ -1,23 +0,0 @@
{ stdenv
, pkgs
, utils
}:
{ configDir ? "/etc/php"
, configFile ? "php-fpm.conf"
, siteConfigDir ? "${configFile}/conf.d"
, logLevel ? "notice"
}:
{ ... # Depends on whatever
}:
utils.mkConfigFile {
name = configFile;
dir = configDir;
content = ''
[global]
error_log = syslog
syslog.ident = php-fpm
log_level = ${logLevel}
include=${siteConfigDir}/*
'';
}

20
php-fpm/mkconfig.nix
View file

@ -1,20 +0,0 @@
{ PHPFPMConfig
}:
{ name
, configDir
, configFile
, siteConfigDir
, dependsOn ? {}
}:
{
inherit name configDir configFile;
inherit siteConfigDir;
pkg = PHPFPMConfig {
inherit configDir configFile siteConfigDir;
};
inherit dependsOn;
type = "fileset";
}

31
php-fpm/mksiteconfig.nix
View file

@ -1,31 +0,0 @@
{ PHPFPMSiteConfig
}:
{ PHPFPMConfig
, user
, group
, name
, phpConfigDir
, siteName
, siteRoot
, siteSocket
, socketUser
, socketGroup
, dependsOn ? {}
, connectsTo ? {}
}:
rec {
inherit name user group siteSocket;
pkg = PHPFPMSiteConfig {
inherit (PHPFPMConfig) siteConfigDir;
inherit user group;
inherit siteSocket phpConfigDir socketUser socketGroup;
service = siteName;
serviceRoot = siteRoot;
allowedClients = "127.0.0.1";
};
inherit dependsOn connectsTo;
type = "fileset";
}

26
php-fpm/mkunit.nix
View file

@ -1,26 +0,0 @@
{ PHPFPMService
}:
{ name
, configDir
, configFile
, phpIniConfigDir
, phpIniConfigFile
, runtimeDirectory
, serviceSuffix
, dependsOn ? {}
}:
{
inherit name configDir configFile;
inherit phpIniConfigDir phpIniConfigFile;
inherit runtimeDirectory;
pkg = PHPFPMService {
inherit serviceSuffix;
configFile = "${configDir}/${configFile}";
phpIni = "${phpIniConfigDir}/${phpIniConfigFile}";
};
inherit dependsOn;
type = "systemd-unit";
}

32
php-fpm/siteconfig.nix → php-fpm/php-fpm.nix
View file

@ -1,11 +1,7 @@
{ stdenv { pkgs
, pkgs , siteName
, utils , logLevel ? "notice"
}: , siteRoot ? "/usr/share/webapps/${siteName}"
{ phpConfigDir
, siteConfigDir
, service
, serviceRoot ? "/usr/share/webapps/${service}"
, user , user
, group , group
, siteSocket , siteSocket
@ -18,16 +14,13 @@
, startServers ? 2 , startServers ? 2
, minSpareServers ? 1 , minSpareServers ? 1
, maxSpareServers ? 3 , maxSpareServers ? 3
}: }: pkgs.writeText "php-fpm-${siteName}.conf" ''
{ ... # Depends on whatever [global]
}: error_log = syslog
syslog.ident = php-fpm
utils.mkConfigFile { log_level = ${logLevel}
name = "${service}.conf";
dir = siteConfigDir;
content = ''
[${service}]
[${siteName}]
user = ${user} user = ${user}
group = ${group} group = ${group}
listen = ${siteSocket} listen = ${siteSocket}
@ -38,7 +31,7 @@ utils.mkConfigFile {
env[PATH] = /usr/local/bin:/usr/bin:/bin env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp env[TMP] = /tmp
chdir = ${serviceRoot} chdir = ${siteRoot}
pm = dynamic pm = dynamic
@ -50,5 +43,4 @@ utils.mkConfigFile {
catch_workers_output = yes catch_workers_output = yes
pm.status_path = ${statusPath} pm.status_path = ${statusPath}
''; ''
}

34
php/config.nix → php-fpm/php-ini.nix
View file

@ -1,18 +1,9 @@
{ stdenv { lib
, pkgs , pkgs
, lib
, utils , siteName
}:
{ configDir ? "/etc/php"
, configFile ? "php.ini"
, prependFile ? null , prependFile ? null
}: , extensions ? [
{ ... # Depends on whatever
}:
let
extensions = [
# "bcmath" # "bcmath"
# "curl" # "curl"
# "gd" # "gd"
@ -27,22 +18,20 @@ let
# "soap" # "soap"
# "sqlite3" # "sqlite3"
# "zip" # "zip"
]; ]
, zend_extensions ? [
zend_extensions = [
# "opcache" # "opcache"
]; ]
}:
let
concatWithPrefix = prefix: content: concatWithPrefix = prefix: content:
lib.strings.concatMapStrings lib.strings.concatMapStrings
(x: prefix + x + "\n") (x: prefix + x + "\n")
content; content;
in in
utils.mkConfigFile { pkgs.writeText "php-${siteName}.ini" ''
name = configFile;
dir = configDir;
content = ''
[PHP] [PHP]
engine = On engine = On
short_open_tag = Off short_open_tag = Off
@ -103,5 +92,4 @@ utils.mkConfigFile {
; opcache.memory_consumption=128 ; opcache.memory_consumption=128
; opcache.interned_strings_buffer=16 ; opcache.interned_strings_buffer=16
; opcache.max_accelerated_files=20000 ; opcache.max_accelerated_files=20000
''; ''
}

111
php-fpm/unit.nix
View file

@ -2,52 +2,85 @@
, pkgs , pkgs
, utils , utils
}: }:
{ serviceSuffix { name
, configFile ? "/etc/php/php-fpm.conf" , siteName
, phpIni ? "/etc/php/php.ini" , user
, group
, socketUser
, socketGroup
, runtimeDirectory ? "/run/${siteName}"
, phpIniConfig ? {}
, siteConfig ? {}
, extensions ? []
, zend_extensions ? []
, dependsOn ? {}
}: }:
{...}:
let
phpIniFile = pkgs.callPackage (import ./php-ini.nix) {
inherit siteName;
inherit extensions zend_extensions;
} // phpIniConfig;
siteSocket = "${runtimeDirectory}/${siteName}.sock";
siteConfigFile = pkgs.callPackage (import ./php-fpm.nix) {
inherit siteName;
inherit user group;
inherit siteSocket socketUser socketGroup;
} // siteConfig;
in
# This service runs as root, each pool runs as a user. # This service runs as root, each pool runs as a user.
{
inherit name;
inherit user group;
inherit socketUser socketGroup;
utils.systemd.mkService rec { inherit siteSocket;
name = "php-fpm-${serviceSuffix}";
content = '' pkg = utils.systemd.mkService rec {
[Unit] name = "php-fpm-${siteName}";
Description=The PHP FastCGI Process Manager
After=network.target
[Service] content = ''
Type=notify [Unit]
PIDFile=/run/${serviceSuffix}/php-fpm.pid Description=The PHP FastCGI Process Manager
ExecStart=${pkgs.php}/bin/php-fpm --nodaemonize --fpm-config ${configFile} --php-ini ${phpIni} After=network.target
ExecReload=/bin/kill -USR2 $MAINPID
# Keeping this around to avoid uncommenting them. These directories [Service]
# are handled through tmpfiles.d. Type=notify
# PIDFile=/run/${siteName}/php-fpm.pid
# RuntimeDirectory=${serviceSuffix} ExecStart=${pkgs.php}/bin/php-fpm --nodaemonize --fpm-config ${siteConfigFile} --php-ini ${phpIniFile}
# StateDirectory=${serviceSuffix} ExecReload=/bin/kill -USR2 $MAINPID
LockPersonality=true # Keeping this around to avoid uncommenting them. These directories
NoNewPrivileges=true # are handled through tmpfiles.d.
PrivateDevices=true #
PrivateTmp=true # RuntimeDirectory=${siteName}
ProtectClock=true # StateDirectory=${siteName}
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
[Install] LockPersonality=true
WantedBy=multi-user.target NoNewPrivileges=true
''; PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
[Install]
WantedBy=multi-user.target
'';
};
inherit dependsOn;
type = "systemd-unit";
} }

18
php/siteconfig.nix
View file

@ -1,18 +0,0 @@
{ PHPConfig
}:
{ name
, configDir
, configFile
, pkgExtraArguments ? {}
, dependsOn ? {}
}:
rec {
inherit name configDir configFile;
inherit dependsOn;
pkg = PHPConfig ({
inherit configDir configFile;
} // pkgExtraArguments);
type = "fileset";
}

17
ttrss/mk-normalize-headers.nix
View file

@ -1,17 +0,0 @@
{ TtrssPHPNormalizeHeaders
}:
{ name
, configDir ? "/etc/php"
, configFile ? "normalize-headers.php"
, debug ? false
}:
rec {
inherit name configDir configFile;
pkg = TtrssPHPNormalizeHeaders {
inherit configDir configFile;
inherit debug;
};
type = "fileset";
}

19
ttrss/normalize-headers.nix
View file

@ -1,17 +1,9 @@
{ stdenv { pkgs
, pkgs
, utils
}: }:
{ configDir ? "/etc/php" { debug ? false
, configFile ? "normalize-headers.php"
, debug ? false
}: }:
utils.mkConfigFile { pkgs.writeText "normalize-headers.php" (''
name = configFile;
dir = configDir;
content = ''
<?php <?php
$trustedProxies = array( $trustedProxies = array(
@ -51,5 +43,6 @@ utils.mkConfigFile {
} }
'' + (if !debug then "" else '' '' + (if !debug then "" else ''
trigger_error(print_r($_SERVER, true), E_USER_WARNING); trigger_error(print_r($_SERVER, true), E_USER_WARNING);
''); '')
} )