diff --git a/PHP-FPM/config.nix b/PHP-FPM/config.nix new file mode 100644 index 0000000..8623e20 --- /dev/null +++ b/PHP-FPM/config.nix @@ -0,0 +1,21 @@ +{ stdenv +, pkgs +, utils +}: +{ configDir ? "/etc/php" +, configFile ? "php-fpm.conf" +, siteConfigDir ? "${configFile}/conf.d" +, logLevel ? "notice" +}: + +utils.mkConfigFile { + name = configFile; + dir = configDir; + content = '' + [global] + error_log = syslog + syslog.ident = php-fpm + log_level = ${logLevel} + include=${siteConfigDir}/* + ''; +} diff --git a/PHP-FPM/siteconfig.nix b/PHP-FPM/siteconfig.nix new file mode 100644 index 0000000..3680070 --- /dev/null +++ b/PHP-FPM/siteconfig.nix @@ -0,0 +1,53 @@ +{ stdenv +, pkgs +, utils +}: +{ siteConfigDir +, service +, serviceRoot ? "/usr/share/webapps/${service}" +, user +, group +, siteSocket +, allowedClients ? "127.0.0.1" +, socketUser +, socketGroup + +, statusPath ? "/status" +, maxChildren ? 5 +, startServers ? 2 +, minSpareServers ? 1 +, maxSpareServers ? 3 +}: + + # user = ${user} + # group = ${group} + # + # listen.owner = ${socketUser} + # listen.group = ${socketGroup} + +utils.mkConfigFile { + name = "${service}.conf"; + dir = siteConfigDir; + content = '' + [${service}] + + listen = ${siteSocket} + listen.allowed_clients = ${allowedClients} + + env[PATH] = /usr/local/bin:/usr/bin:/bin + env[TMP] = /tmp + + chdir = ${serviceRoot} + + pm = dynamic + + pm.max_children = ${builtins.toString maxChildren} + pm.start_servers = ${builtins.toString startServers} + pm.min_spare_servers = ${builtins.toString minSpareServers} + pm.max_spare_servers = ${builtins.toString maxSpareServers} + + catch_workers_output = yes + + pm.status_path = ${statusPath} + ''; +} diff --git a/PHP-FPM/unit.nix b/PHP-FPM/unit.nix new file mode 100644 index 0000000..d226ebc --- /dev/null +++ b/PHP-FPM/unit.nix @@ -0,0 +1,53 @@ +{ stdenv +, pkgs +, utils +}: +{ user ? "http" +, group ? "http" +, configDir ? "/etc/php" +, configFile ? "php-fpm.conf" +}: +{...}: + +utils.systemd.mkService rec { + name = "php-fpm"; + + content = '' + [Unit] + Description=The PHP FastCGI Process Manager + After=network.target + + [Service] + Type=notify + User=${user} + Group=${group} + PIDFile=/run/php-fpm/php-fpm.pid + ExecStart=${pkgs.php}/bin/php-fpm --nodaemonize --fpm-config ${configDir}/${configFile} + ExecReload=/bin/kill -USR2 $MAINPID + RuntimeDirectory=php-fpm + # ReadWritePaths=/usr/share/webapps/nextcloud/apps + # ReadWritePaths=/usr/share/webapps/nextcloud/apps + # ReadWritePaths=/usr/share/webapps/nextcloud/config + # ReadWritePaths=/etc/webapps/nextcloud + + LockPersonality=true + NoNewPrivileges=true + PrivateDevices=true + PrivateTmp=true + ProtectClock=true + ProtectControlGroups=true + ProtectHome=true + ProtectHostname=true + ProtectKernelLogs=true + ProtectKernelModules=true + ProtectKernelTunables=true + ProtectSystem=full + RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX + RestrictNamespaces=true + RestrictRealtime=true + RestrictSUIDSGID=true + + [Install] + WantedBy=multi-user.target + ''; +} diff --git a/all-packages.nix b/all-packages.nix index 7ec426e..1986a17 100644 --- a/all-packages.nix +++ b/all-packages.nix @@ -15,6 +15,10 @@ let CaddyService = callPackage ./caddy/unit.nix {inherit utils;}; CaddySiteConfig = callPackage ./caddy/siteconfig.nix {inherit utils;}; + PHPFPMConfig = callPackage ./PHP-FPM/config.nix {inherit utils;}; + PHPFPMService = callPackage ./PHP-FPM/unit.nix {inherit utils;}; + PHPFPMSiteConfig = callPackage ./PHP-FPM/siteconfig.nix {inherit utils;}; + TtrssEnvironment = callPackage ./Ttrss/environment.nix {}; TtrssConfig = callPackage ./Ttrss/config.nix {}; TtrssUpdateService = callPackage ./Ttrss/update.nix {inherit utils;}; diff --git a/caddy/siteconfig.nix b/caddy/siteconfig.nix index df687a1..7e7033e 100644 --- a/caddy/siteconfig.nix +++ b/caddy/siteconfig.nix @@ -3,13 +3,11 @@ , utils }: { siteConfigDir -, runtimeDirectory , portBinding , bindService -, useSocket ? false , serviceRoot ? "/usr/share/webapps/${bindService}" -, phpFpmRuntimeDirectory ? "/run/php-fpm" -, phpFastcgi ? null +, siteSocket ? null +, phpFpmSiteSocket ? null , logLevel ? "WARN" }: @@ -20,16 +18,16 @@ let "file_server" ] ++ ( - if useSocket + if siteSocket != "" then [ - "bind unix/${runtimeDirectory}/${bindService}.sock" + "bind unix/${siteSocket}" ] else [] ) ++ ( - if phpFastcgi + if phpFpmSiteSocket != "" then [ - "php_fastcgi unix/${phpFpmRuntimeDirectory}/${bindService}.sock" + "php_fastcgi unix/${phpFpmSiteSocket}" ] else [] ); @@ -40,11 +38,11 @@ utils.mkConfigFile { dir = siteConfigDir; content = '' :${builtins.toString portBinding} { - ${builtins.concatStringsSep "\n " content} + ${builtins.concatStringsSep "\n " content} log { - output stderr - level ${logLevel} + output stderr + level ${logLevel} } } ''; diff --git a/caddy/unit.nix b/caddy/unit.nix index 60c3242..a115af2 100644 --- a/caddy/unit.nix +++ b/caddy/unit.nix @@ -33,7 +33,7 @@ utils.systemd.mkService rec { ExecReload=${pkgs.caddy}/bin/caddy reload --config ${configDir}/${configFile} # Restart=on-abnormal - # # RuntimeDirectory=caddy + RuntimeDirectory=caddy # KillMode=mixed # KillSignal=SIGQUIT @@ -43,39 +43,30 @@ utils.systemd.mkService rec { LimitNPROC=512 # PrivateDevices=true + LockPersonality=true + NoNewPrivileges=true + PrivateDevices=true PrivateTmp=true - # ProtectKernelTunables=true - # ProtectKernelModules=true - # ProtectControlGroups=true - # ProtectKernelLogs=true - # ProtectHome=true - # ProtectHostname=true - # ProtectClock=true - # RestrictSUIDSGID=true - # LockPersonality=true - # NoNewPrivileges=true + ProtectClock=true + ProtectControlGroups=true + ProtectHome=true + ProtectHostname=true + ProtectKernelLogs=true + ProtectKernelModules=true + ProtectKernelTunables=true + ProtectSystem=full + RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX + RestrictNamespaces=true + RestrictRealtime=true + RestrictSUIDSGID=true # CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE # ProtectSystem=strict - ProtectSystem=full # ReadWritePaths=/var/lib/caddy /var/log/caddy [Install] WantedBy=multi-user.target ''; } - - -# Put this in /etc/caddy/Caddyfile - -# { -# # debug -# -# # Disable auto https -# http_port 10001 -# https_port 10002 -# } -# -# import conf.d/*