add php-fpm for ttrss
This commit is contained in:
parent
40a4d308c1
commit
d12ff9e7c6
6 changed files with 156 additions and 36 deletions
21
PHP-FPM/config.nix
Normal file
21
PHP-FPM/config.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
{ stdenv
|
||||
, pkgs
|
||||
, utils
|
||||
}:
|
||||
{ configDir ? "/etc/php"
|
||||
, configFile ? "php-fpm.conf"
|
||||
, siteConfigDir ? "${configFile}/conf.d"
|
||||
, logLevel ? "notice"
|
||||
}:
|
||||
|
||||
utils.mkConfigFile {
|
||||
name = configFile;
|
||||
dir = configDir;
|
||||
content = ''
|
||||
[global]
|
||||
error_log = syslog
|
||||
syslog.ident = php-fpm
|
||||
log_level = ${logLevel}
|
||||
include=${siteConfigDir}/*
|
||||
'';
|
||||
}
|
53
PHP-FPM/siteconfig.nix
Normal file
53
PHP-FPM/siteconfig.nix
Normal file
|
@ -0,0 +1,53 @@
|
|||
{ stdenv
|
||||
, pkgs
|
||||
, utils
|
||||
}:
|
||||
{ siteConfigDir
|
||||
, service
|
||||
, serviceRoot ? "/usr/share/webapps/${service}"
|
||||
, user
|
||||
, group
|
||||
, siteSocket
|
||||
, allowedClients ? "127.0.0.1"
|
||||
, socketUser
|
||||
, socketGroup
|
||||
|
||||
, statusPath ? "/status"
|
||||
, maxChildren ? 5
|
||||
, startServers ? 2
|
||||
, minSpareServers ? 1
|
||||
, maxSpareServers ? 3
|
||||
}:
|
||||
|
||||
# user = ${user}
|
||||
# group = ${group}
|
||||
#
|
||||
# listen.owner = ${socketUser}
|
||||
# listen.group = ${socketGroup}
|
||||
|
||||
utils.mkConfigFile {
|
||||
name = "${service}.conf";
|
||||
dir = siteConfigDir;
|
||||
content = ''
|
||||
[${service}]
|
||||
|
||||
listen = ${siteSocket}
|
||||
listen.allowed_clients = ${allowedClients}
|
||||
|
||||
env[PATH] = /usr/local/bin:/usr/bin:/bin
|
||||
env[TMP] = /tmp
|
||||
|
||||
chdir = ${serviceRoot}
|
||||
|
||||
pm = dynamic
|
||||
|
||||
pm.max_children = ${builtins.toString maxChildren}
|
||||
pm.start_servers = ${builtins.toString startServers}
|
||||
pm.min_spare_servers = ${builtins.toString minSpareServers}
|
||||
pm.max_spare_servers = ${builtins.toString maxSpareServers}
|
||||
|
||||
catch_workers_output = yes
|
||||
|
||||
pm.status_path = ${statusPath}
|
||||
'';
|
||||
}
|
53
PHP-FPM/unit.nix
Normal file
53
PHP-FPM/unit.nix
Normal file
|
@ -0,0 +1,53 @@
|
|||
{ stdenv
|
||||
, pkgs
|
||||
, utils
|
||||
}:
|
||||
{ user ? "http"
|
||||
, group ? "http"
|
||||
, configDir ? "/etc/php"
|
||||
, configFile ? "php-fpm.conf"
|
||||
}:
|
||||
{...}:
|
||||
|
||||
utils.systemd.mkService rec {
|
||||
name = "php-fpm";
|
||||
|
||||
content = ''
|
||||
[Unit]
|
||||
Description=The PHP FastCGI Process Manager
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
User=${user}
|
||||
Group=${group}
|
||||
PIDFile=/run/php-fpm/php-fpm.pid
|
||||
ExecStart=${pkgs.php}/bin/php-fpm --nodaemonize --fpm-config ${configDir}/${configFile}
|
||||
ExecReload=/bin/kill -USR2 $MAINPID
|
||||
RuntimeDirectory=php-fpm
|
||||
# ReadWritePaths=/usr/share/webapps/nextcloud/apps
|
||||
# ReadWritePaths=/usr/share/webapps/nextcloud/apps
|
||||
# ReadWritePaths=/usr/share/webapps/nextcloud/config
|
||||
# ReadWritePaths=/etc/webapps/nextcloud
|
||||
|
||||
LockPersonality=true
|
||||
NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=full
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
'';
|
||||
}
|
|
@ -15,6 +15,10 @@ let
|
|||
CaddyService = callPackage ./caddy/unit.nix {inherit utils;};
|
||||
CaddySiteConfig = callPackage ./caddy/siteconfig.nix {inherit utils;};
|
||||
|
||||
PHPFPMConfig = callPackage ./PHP-FPM/config.nix {inherit utils;};
|
||||
PHPFPMService = callPackage ./PHP-FPM/unit.nix {inherit utils;};
|
||||
PHPFPMSiteConfig = callPackage ./PHP-FPM/siteconfig.nix {inherit utils;};
|
||||
|
||||
TtrssEnvironment = callPackage ./Ttrss/environment.nix {};
|
||||
TtrssConfig = callPackage ./Ttrss/config.nix {};
|
||||
TtrssUpdateService = callPackage ./Ttrss/update.nix {inherit utils;};
|
||||
|
|
|
@ -3,13 +3,11 @@
|
|||
, utils
|
||||
}:
|
||||
{ siteConfigDir
|
||||
, runtimeDirectory
|
||||
, portBinding
|
||||
, bindService
|
||||
, useSocket ? false
|
||||
, serviceRoot ? "/usr/share/webapps/${bindService}"
|
||||
, phpFpmRuntimeDirectory ? "/run/php-fpm"
|
||||
, phpFastcgi ? null
|
||||
, siteSocket ? null
|
||||
, phpFpmSiteSocket ? null
|
||||
, logLevel ? "WARN"
|
||||
}:
|
||||
|
||||
|
@ -20,16 +18,16 @@ let
|
|||
"file_server"
|
||||
]
|
||||
++ (
|
||||
if useSocket
|
||||
if siteSocket != ""
|
||||
then [
|
||||
"bind unix/${runtimeDirectory}/${bindService}.sock"
|
||||
"bind unix/${siteSocket}"
|
||||
]
|
||||
else []
|
||||
)
|
||||
++ (
|
||||
if phpFastcgi
|
||||
if phpFpmSiteSocket != ""
|
||||
then [
|
||||
"php_fastcgi unix/${phpFpmRuntimeDirectory}/${bindService}.sock"
|
||||
"php_fastcgi unix/${phpFpmSiteSocket}"
|
||||
]
|
||||
else []
|
||||
);
|
||||
|
|
|
@ -33,7 +33,7 @@ utils.systemd.mkService rec {
|
|||
ExecReload=${pkgs.caddy}/bin/caddy reload --config ${configDir}/${configFile}
|
||||
|
||||
# Restart=on-abnormal
|
||||
# # RuntimeDirectory=caddy
|
||||
RuntimeDirectory=caddy
|
||||
|
||||
# KillMode=mixed
|
||||
# KillSignal=SIGQUIT
|
||||
|
@ -43,39 +43,30 @@ utils.systemd.mkService rec {
|
|||
LimitNPROC=512
|
||||
|
||||
# PrivateDevices=true
|
||||
LockPersonality=true
|
||||
NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
# ProtectKernelTunables=true
|
||||
# ProtectKernelModules=true
|
||||
# ProtectControlGroups=true
|
||||
# ProtectKernelLogs=true
|
||||
# ProtectHome=true
|
||||
# ProtectHostname=true
|
||||
# ProtectClock=true
|
||||
# RestrictSUIDSGID=true
|
||||
# LockPersonality=true
|
||||
# NoNewPrivileges=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=full
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
|
||||
# CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
|
||||
# ProtectSystem=strict
|
||||
ProtectSystem=full
|
||||
# ReadWritePaths=/var/lib/caddy /var/log/caddy
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
'';
|
||||
}
|
||||
|
||||
|
||||
# Put this in /etc/caddy/Caddyfile
|
||||
|
||||
# {
|
||||
# # debug
|
||||
#
|
||||
# # Disable auto https
|
||||
# http_port 10001
|
||||
# https_port 10002
|
||||
# }
|
||||
#
|
||||
# import conf.d/*
|
||||
|
|
Loading…
Reference in a new issue