hosting/selfhostblocks
1
0
Fork 0
Code Issues Activity

add php-fpm for ttrss

Browse source
This commit is contained in:
ibizaman 2022-09-09 23:15:03 -07:00
parent 40a4d308c1
commit d12ff9e7c6
6 changed files with 156 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
PHP-FPM/config.nix Normal file
View file

@ -0,0 +1,21 @@
{ stdenv
, pkgs
, utils
}:
{ configDir ? "/etc/php"
, configFile ? "php-fpm.conf"
, siteConfigDir ? "${configFile}/conf.d"
, logLevel ? "notice"
}:
utils.mkConfigFile {
name = configFile;
dir = configDir;
content = ''
[global]
error_log = syslog
syslog.ident = php-fpm
log_level = ${logLevel}
include=${siteConfigDir}/*
'';
}

53
PHP-FPM/siteconfig.nix Normal file
View file

@ -0,0 +1,53 @@
{ stdenv
, pkgs
, utils
}:
{ siteConfigDir
, service
, serviceRoot ? "/usr/share/webapps/${service}"
, user
, group
, siteSocket
, allowedClients ? "127.0.0.1"
, socketUser
, socketGroup
, statusPath ? "/status"
, maxChildren ? 5
, startServers ? 2
, minSpareServers ? 1
, maxSpareServers ? 3
}:
# user = ${user}
# group = ${group}
#
# listen.owner = ${socketUser}
# listen.group = ${socketGroup}
utils.mkConfigFile {
name = "${service}.conf";
dir = siteConfigDir;
content = ''
[${service}]
listen = ${siteSocket}
listen.allowed_clients = ${allowedClients}
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
chdir = ${serviceRoot}
pm = dynamic
pm.max_children = ${builtins.toString maxChildren}
pm.start_servers = ${builtins.toString startServers}
pm.min_spare_servers = ${builtins.toString minSpareServers}
pm.max_spare_servers = ${builtins.toString maxSpareServers}
catch_workers_output = yes
pm.status_path = ${statusPath}
'';
}

53
PHP-FPM/unit.nix Normal file
View file

@ -0,0 +1,53 @@
{ stdenv
, pkgs
, utils
}:
{ user ? "http"
, group ? "http"
, configDir ? "/etc/php"
, configFile ? "php-fpm.conf"
}:
{...}:
utils.systemd.mkService rec {
name = "php-fpm";
content = ''
[Unit]
Description=The PHP FastCGI Process Manager
After=network.target
[Service]
Type=notify
User=${user}
Group=${group}
PIDFile=/run/php-fpm/php-fpm.pid
ExecStart=${pkgs.php}/bin/php-fpm --nodaemonize --fpm-config ${configDir}/${configFile}
ExecReload=/bin/kill -USR2 $MAINPID
RuntimeDirectory=php-fpm
# ReadWritePaths=/usr/share/webapps/nextcloud/apps
# ReadWritePaths=/usr/share/webapps/nextcloud/apps
# ReadWritePaths=/usr/share/webapps/nextcloud/config
# ReadWritePaths=/etc/webapps/nextcloud
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
[Install]
WantedBy=multi-user.target
'';
}

4
all-packages.nix
View file

@ -15,6 +15,10 @@ let
CaddyService = callPackage ./caddy/unit.nix {inherit utils;}; CaddyService = callPackage ./caddy/unit.nix {inherit utils;};
CaddySiteConfig = callPackage ./caddy/siteconfig.nix {inherit utils;}; CaddySiteConfig = callPackage ./caddy/siteconfig.nix {inherit utils;};
PHPFPMConfig = callPackage ./PHP-FPM/config.nix {inherit utils;};
PHPFPMService = callPackage ./PHP-FPM/unit.nix {inherit utils;};
PHPFPMSiteConfig = callPackage ./PHP-FPM/siteconfig.nix {inherit utils;};
TtrssEnvironment = callPackage ./Ttrss/environment.nix {}; TtrssEnvironment = callPackage ./Ttrss/environment.nix {};
TtrssConfig = callPackage ./Ttrss/config.nix {}; TtrssConfig = callPackage ./Ttrss/config.nix {};
TtrssUpdateService = callPackage ./Ttrss/update.nix {inherit utils;}; TtrssUpdateService = callPackage ./Ttrss/update.nix {inherit utils;};

20
caddy/siteconfig.nix
View file

@ -3,13 +3,11 @@
, utils , utils
}: }:
{ siteConfigDir { siteConfigDir
, runtimeDirectory
, portBinding , portBinding
, bindService , bindService
, useSocket ? false
, serviceRoot ? "/usr/share/webapps/${bindService}" , serviceRoot ? "/usr/share/webapps/${bindService}"
, phpFpmRuntimeDirectory ? "/run/php-fpm" , siteSocket ? null
, phpFastcgi ? null , phpFpmSiteSocket ? null
, logLevel ? "WARN" , logLevel ? "WARN"
}: }:
@ -20,16 +18,16 @@ let
"file_server" "file_server"
] ]
++ ( ++ (
if useSocket if siteSocket != ""
then [ then [
"bind unix/${runtimeDirectory}/${bindService}.sock" "bind unix/${siteSocket}"
] ]
else [] else []
) )
++ ( ++ (
if phpFastcgi if phpFpmSiteSocket != ""
then [ then [
"php_fastcgi unix/${phpFpmRuntimeDirectory}/${bindService}.sock" "php_fastcgi unix/${phpFpmSiteSocket}"
] ]
else [] else []
); );
@ -40,11 +38,11 @@ utils.mkConfigFile {
dir = siteConfigDir; dir = siteConfigDir;
content = '' content = ''
:${builtins.toString portBinding} { :${builtins.toString portBinding} {
${builtins.concatStringsSep "\n " content} ${builtins.concatStringsSep "\n " content}
log { log {
output stderr output stderr
level ${logLevel} level ${logLevel}
} }
} }
''; '';

41
caddy/unit.nix
View file

@ -33,7 +33,7 @@ utils.systemd.mkService rec {
ExecReload=${pkgs.caddy}/bin/caddy reload --config ${configDir}/${configFile} ExecReload=${pkgs.caddy}/bin/caddy reload --config ${configDir}/${configFile}
# Restart=on-abnormal # Restart=on-abnormal
# # RuntimeDirectory=caddy RuntimeDirectory=caddy
# KillMode=mixed # KillMode=mixed
# KillSignal=SIGQUIT # KillSignal=SIGQUIT
@ -43,39 +43,30 @@ utils.systemd.mkService rec {
LimitNPROC=512 LimitNPROC=512
# PrivateDevices=true # PrivateDevices=true
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true PrivateTmp=true
# ProtectKernelTunables=true ProtectClock=true
# ProtectKernelModules=true ProtectControlGroups=true
# ProtectControlGroups=true ProtectHome=true
# ProtectKernelLogs=true ProtectHostname=true
# ProtectHome=true ProtectKernelLogs=true
# ProtectHostname=true ProtectKernelModules=true
# ProtectClock=true ProtectKernelTunables=true
# RestrictSUIDSGID=true ProtectSystem=full
# LockPersonality=true RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
# NoNewPrivileges=true RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
# CapabilityBoundingSet=CAP_NET_BIND_SERVICE # CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE
# ProtectSystem=strict # ProtectSystem=strict
ProtectSystem=full
# ReadWritePaths=/var/lib/caddy /var/log/caddy # ReadWritePaths=/var/lib/caddy /var/log/caddy
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
''; '';
} }
# Put this in /etc/caddy/Caddyfile
# {
# # debug
#
# # Disable auto https
# http_port 10001
# https_port 10002
# }
#
# import conf.d/*