1
0
Fork 0

add php-fpm for ttrss

This commit is contained in:
ibizaman 2022-09-09 23:15:03 -07:00
parent 40a4d308c1
commit d12ff9e7c6
6 changed files with 156 additions and 36 deletions

21
PHP-FPM/config.nix Normal file
View file

@ -0,0 +1,21 @@
{ stdenv
, pkgs
, utils
}:
{ configDir ? "/etc/php"
, configFile ? "php-fpm.conf"
, siteConfigDir ? "${configFile}/conf.d"
, logLevel ? "notice"
}:
utils.mkConfigFile {
name = configFile;
dir = configDir;
content = ''
[global]
error_log = syslog
syslog.ident = php-fpm
log_level = ${logLevel}
include=${siteConfigDir}/*
'';
}

53
PHP-FPM/siteconfig.nix Normal file
View file

@ -0,0 +1,53 @@
{ stdenv
, pkgs
, utils
}:
{ siteConfigDir
, service
, serviceRoot ? "/usr/share/webapps/${service}"
, user
, group
, siteSocket
, allowedClients ? "127.0.0.1"
, socketUser
, socketGroup
, statusPath ? "/status"
, maxChildren ? 5
, startServers ? 2
, minSpareServers ? 1
, maxSpareServers ? 3
}:
# user = ${user}
# group = ${group}
#
# listen.owner = ${socketUser}
# listen.group = ${socketGroup}
utils.mkConfigFile {
name = "${service}.conf";
dir = siteConfigDir;
content = ''
[${service}]
listen = ${siteSocket}
listen.allowed_clients = ${allowedClients}
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
chdir = ${serviceRoot}
pm = dynamic
pm.max_children = ${builtins.toString maxChildren}
pm.start_servers = ${builtins.toString startServers}
pm.min_spare_servers = ${builtins.toString minSpareServers}
pm.max_spare_servers = ${builtins.toString maxSpareServers}
catch_workers_output = yes
pm.status_path = ${statusPath}
'';
}

53
PHP-FPM/unit.nix Normal file
View file

@ -0,0 +1,53 @@
{ stdenv
, pkgs
, utils
}:
{ user ? "http"
, group ? "http"
, configDir ? "/etc/php"
, configFile ? "php-fpm.conf"
}:
{...}:
utils.systemd.mkService rec {
name = "php-fpm";
content = ''
[Unit]
Description=The PHP FastCGI Process Manager
After=network.target
[Service]
Type=notify
User=${user}
Group=${group}
PIDFile=/run/php-fpm/php-fpm.pid
ExecStart=${pkgs.php}/bin/php-fpm --nodaemonize --fpm-config ${configDir}/${configFile}
ExecReload=/bin/kill -USR2 $MAINPID
RuntimeDirectory=php-fpm
# ReadWritePaths=/usr/share/webapps/nextcloud/apps
# ReadWritePaths=/usr/share/webapps/nextcloud/apps
# ReadWritePaths=/usr/share/webapps/nextcloud/config
# ReadWritePaths=/etc/webapps/nextcloud
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
[Install]
WantedBy=multi-user.target
'';
}

View file

@ -15,6 +15,10 @@ let
CaddyService = callPackage ./caddy/unit.nix {inherit utils;};
CaddySiteConfig = callPackage ./caddy/siteconfig.nix {inherit utils;};
PHPFPMConfig = callPackage ./PHP-FPM/config.nix {inherit utils;};
PHPFPMService = callPackage ./PHP-FPM/unit.nix {inherit utils;};
PHPFPMSiteConfig = callPackage ./PHP-FPM/siteconfig.nix {inherit utils;};
TtrssEnvironment = callPackage ./Ttrss/environment.nix {};
TtrssConfig = callPackage ./Ttrss/config.nix {};
TtrssUpdateService = callPackage ./Ttrss/update.nix {inherit utils;};

View file

@ -3,13 +3,11 @@
, utils
}:
{ siteConfigDir
, runtimeDirectory
, portBinding
, bindService
, useSocket ? false
, serviceRoot ? "/usr/share/webapps/${bindService}"
, phpFpmRuntimeDirectory ? "/run/php-fpm"
, phpFastcgi ? null
, siteSocket ? null
, phpFpmSiteSocket ? null
, logLevel ? "WARN"
}:
@ -20,16 +18,16 @@ let
"file_server"
]
++ (
if useSocket
if siteSocket != ""
then [
"bind unix/${runtimeDirectory}/${bindService}.sock"
"bind unix/${siteSocket}"
]
else []
)
++ (
if phpFastcgi
if phpFpmSiteSocket != ""
then [
"php_fastcgi unix/${phpFpmRuntimeDirectory}/${bindService}.sock"
"php_fastcgi unix/${phpFpmSiteSocket}"
]
else []
);

View file

@ -33,7 +33,7 @@ utils.systemd.mkService rec {
ExecReload=${pkgs.caddy}/bin/caddy reload --config ${configDir}/${configFile}
# Restart=on-abnormal
# # RuntimeDirectory=caddy
RuntimeDirectory=caddy
# KillMode=mixed
# KillSignal=SIGQUIT
@ -43,39 +43,30 @@ utils.systemd.mkService rec {
LimitNPROC=512
# PrivateDevices=true
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
# ProtectKernelTunables=true
# ProtectKernelModules=true
# ProtectControlGroups=true
# ProtectKernelLogs=true
# ProtectHome=true
# ProtectHostname=true
# ProtectClock=true
# RestrictSUIDSGID=true
# LockPersonality=true
# NoNewPrivileges=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
# CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
# ProtectSystem=strict
ProtectSystem=full
# ReadWritePaths=/var/lib/caddy /var/log/caddy
[Install]
WantedBy=multi-user.target
'';
}
# Put this in /etc/caddy/Caddyfile
# {
# # debug
#
# # Disable auto https
# http_port 10001
# https_port 10002
# }
#
# import conf.d/*