1
0
Fork 0
selfhostblocks/php-fpm/unit.nix
2023-02-19 20:37:52 -08:00

53 lines
1.2 KiB
Nix

{ stdenv
, pkgs
, utils
}:
{ serviceSuffix
, configFile ? "/etc/php/php-fpm.conf"
, phpIni ? "/etc/php/php.ini"
}:
{...}:
# This service runs as root, each pool runs as a user.
utils.systemd.mkService rec {
name = "php-fpm-${serviceSuffix}";
content = ''
[Unit]
Description=The PHP FastCGI Process Manager
After=network.target
[Service]
Type=notify
PIDFile=/run/${serviceSuffix}/php-fpm.pid
ExecStart=${pkgs.php}/bin/php-fpm --nodaemonize --fpm-config ${configFile} --php-ini ${phpIni}
ExecReload=/bin/kill -USR2 $MAINPID
# Keeping this around to avoid uncommenting them. These directories
# are handled through tmpfiles.d.
#
# RuntimeDirectory=${serviceSuffix}
# StateDirectory=${serviceSuffix}
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
[Install]
WantedBy=multi-user.target
'';
}