JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Merge pull request #63156 from Izorkin/phpfpm-rootless"

Browse Source 
This reverts commit b5478fd1a2, reversing
changes made to dbb00bfcbf.
This commit is contained in:
Aaron Andersen 2019-06-28 21:47:43 -04:00
parent 4b98e262a0
commit 278d867a9b
12 changed files with 242 additions and 231 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nixos/modules/rename.nix
View File

@ -241,12 +241,6 @@ with lib;
# binfmt
(mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ])
# PHP-FPM
(mkRemovedOptionModule [ "services" "phpfpm" "poolConfigs" ] "Use services.phpfpm.pools instead.")
(mkRemovedOptionModule [ "services" "phpfpm" "phpPackage" ] "Use services.phpfpm.pools.<name>.phpPackage instead.")
(mkRemovedOptionModule [ "services" "phpfpm" "phpOptions" ] "Use services.phpfpm.pools.<name>.phpOptions instead.")
(mkRenamedOptionModule [ "services" "phpfpm" "extraConfig" ] [ "services" "phpfpm" "globalExtraConfig" ])
] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter"
"jsonExporter" "minioExporter" "nginxExporter" "nodeExporter"
"snmpExporter" "unifiExporter" "varnishExporter" ]

18
nixos/modules/services/mail/roundcube.nix
View File

@ -105,7 +105,7 @@ in
extraConfig = ''
location ~* \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/phpfpm-roundcube/roundcube.sock;
fastcgi_pass unix:/run/phpfpm/roundcube;
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
}
@ -119,15 +119,12 @@ in
enable = true;
};
services.phpfpm.pools.roundcube = {
socketName = "roundcube";
phpPackage = pkgs.php;
user = "${config.services.nginx.user}";
group = "${config.services.nginx.group}";
extraConfig = ''
listen.owner = ${config.services.nginx.user}
listen.group = ${config.services.nginx.group}
listen.mode = 0600
services.phpfpm.poolConfigs.roundcube = ''
listen = /run/phpfpm/roundcube
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
user = nginx
pm = dynamic
pm.max_children = 75
pm.start_servers = 2
@ -140,7 +137,6 @@ in
php_admin_value[upload_max_filesize] = 25M
catch_workers_output = yes
'';
};
systemd.services.phpfpm-roundcube.after = [ "roundcube-setup.service" ];
systemd.services.roundcube-setup = let

10
nixos/modules/services/misc/zoneminder.nix
View File

@ -19,7 +19,7 @@ let
useCustomDir = cfg.storageDir != null;
socket = "/run/phpfpm-zoneminder/zoneminder.sock";
socket = "/run/phpfpm/${dirName}.sock";
zms = "/cgi-bin/zms";
@ -284,10 +284,7 @@ in {
phpfpm = lib.mkIf useNginx {
pools.zoneminder = {
socketName = "zoneminder";
phpPackage = pkgs.php;
user = "${user}";
group = "${group}";
listen = socket;
phpOptions = ''
date.timezone = "${config.time.timeZone}"
@ -295,6 +292,9 @@ in {
"extension=${e.pkg}/lib/php/extensions/${e.name}.so") phpExtensions)}
'';
extraConfig = ''
user = ${user}
group = ${group}
listen.owner = ${user}
listen.group = ${group}
listen.mode = 0660

22
nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix
View File

@ -1,6 +1,7 @@
{ config, lib, pkgs, ... }: with lib; let
cfg = config.services.icingaweb2;
poolName = "icingaweb2";
phpfpmSocketName = "/var/run/phpfpm/${poolName}.sock";
defaultConfig = {
global = {
@ -161,16 +162,13 @@ in {
};
config = mkIf cfg.enable {
services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
"${poolName}" = {
socketName = "${poolName}";
phpPackage = pkgs.php;
user = "icingaweb2";
group = "icingaweb2";
extraConfig = ''
listen.owner = ${config.services.nginx.user}
listen.group = ${config.services.nginx.group}
services.phpfpm.poolConfigs = mkIf (cfg.pool == "${poolName}") {
"${poolName}" = ''
listen = "${phpfpmSocketName}"
listen.owner = nginx
listen.group = nginx
listen.mode = 0600
user = icingaweb2
pm = dynamic
pm.max_children = 75
pm.start_servers = 2
@ -178,7 +176,6 @@ in {
pm.max_spare_servers = 10
'';
};
};
services.phpfpm.phpOptions = mkIf (cfg.pool == "${poolName}")
''
@ -209,7 +206,7 @@ in {
include ${config.services.nginx.package}/conf/fastcgi.conf;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/phpfpm-${poolName}/${poolName}.sock;
fastcgi_pass unix:${phpfpmSocketName};
fastcgi_param SCRIPT_FILENAME ${pkgs.icingaweb2}/public/index.php;
'';
};
@ -242,8 +239,5 @@ in {
group = "icingaweb2";
isSystemUser = true;
};
users.users.nginx = {
extraGroups = [ "icingaweb2" ];
};
};
}

8
nixos/modules/services/web-apps/limesurvey.nix
View File

@ -202,13 +202,13 @@ in
};
services.phpfpm.pools.limesurvey = {
socketName = "limesurvey";
phpPackage = php;
user = "${user}";
group = "${group}";
listen = "/run/phpfpm/limesurvey.sock";
extraConfig = ''
listen.owner = ${config.services.httpd.user};
listen.group = ${config.services.httpd.group};
user = ${user};
group = ${group};
env[LIMESURVEY_CONFIG] = ${limesurveyConfig}
@ -241,7 +241,7 @@ in
<Directory "${pkg}/share/limesurvey">
<FilesMatch "\.php$">
<If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:/run/phpfpm-limesurvey/limesurvey.sock|fcgi://localhost/"
SetHandler "proxy:unix:/run/phpfpm/limesurvey.sock|fcgi://localhost/"
</If>
</FilesMatch>

28
nixos/modules/services/web-apps/matomo.nix
View File

@ -4,14 +4,13 @@ let
cfg = config.services.matomo;
user = "matomo";
group = "matomo";
dataDir = "/var/lib/${user}";
deprecatedDataDir = "/var/lib/piwik";
pool = user;
# it's not possible to use /run/phpfpm-${pool}/${pool}.sock because /run/phpfpm/ is root:root 0770,
# it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770,
# and therefore is not accessible by the web server.
phpSocket = "/run/phpfpm-${pool}/${pool}.sock";
phpSocket = "/run/phpfpm-${pool}.sock";
phpExecutionUnit = "phpfpm-${pool}";
databaseService = "mysql.service";
@ -138,12 +137,9 @@ in {
isSystemUser = true;
createHome = true;
home = dataDir;
group = "${group}";
group = user;
};
users.users.${config.services.nginx.user} = {
extraGroups = [ "${group}" ];
};
users.groups.${group} = {};
users.groups.${user} = {};
systemd.services.matomo-setup-update = {
# everything needs to set up and up to date before Matomo php files are executed
@ -173,7 +169,7 @@ in {
echo "Migrating from ${deprecatedDataDir} to ${dataDir}"
mv -T ${deprecatedDataDir} ${dataDir}
fi
chown -R ${user}:${group} ${dataDir}
chown -R ${user}:${user} ${dataDir}
chmod -R ug+rwX,o-rwx ${dataDir}
'';
script = ''
@ -229,27 +225,23 @@ in {
serviceConfig.UMask = "0007";
};
services.phpfpm.pools = let
services.phpfpm.poolConfigs = let
# workaround for when both are null and need to generate a string,
# which is illegal, but as assertions apparently are being triggered *after* config generation,
# we have to avoid already throwing errors at this previous stage.
socketOwner = if (cfg.nginx != null) then config.services.nginx.user
else if (cfg.webServerUser != null) then cfg.webServerUser else "";
in {
${pool} = {
socketName = "${pool}";
phpPackage = pkgs.php;
user = "${user}";
group = "${group}";
extraConfig = ''
${pool} = ''
listen = "${phpSocket}"
listen.owner = ${socketOwner}
listen.group = ${group}
listen.group = root
listen.mode = 0600
user = ${user}
env[PIWIK_USER_PATH] = ${dataDir}
${cfg.phpfpmProcessManagerConfig}
'';
};
};
services.nginx.virtualHosts = mkIf (cfg.nginx != null) {

13
nixos/modules/services/web-apps/nextcloud.nix
View File

@ -394,14 +394,13 @@ in {
phpOptions)));
in {
phpOptions = phpOptionsExtensions;
socketName = "nextcloud";
phpPackage = phpPackage;
user = "nextcloud";
group = "${config.services.nginx.group}";
listen = "/run/phpfpm/nextcloud";
extraConfig = ''
listen.owner = ${config.services.nginx.user}
listen.group = ${config.services.nginx.group}
listen.mode = 0600
listen.owner = nginx
listen.group = nginx
user = nextcloud
group = nginx
${cfg.poolConfig}
env[NEXTCLOUD_CONFIG_DIR] = ${cfg.home}/config
env[PATH] = /run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin
@ -467,7 +466,7 @@ in {
fastcgi_param HTTPS ${if cfg.https then "on" else "off"};
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass unix:/run/phpfpm-nextcloud/nextcloud.sock;
fastcgi_pass unix:/run/phpfpm/nextcloud;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_read_timeout 120s;

18
nixos/modules/services/web-apps/restya-board.nix
View File

@ -13,7 +13,7 @@ let
runDir = "/run/restya-board";
poolName = "restya-board";
phpfpmSocketName = "/run/phpfpm-${poolName}/${poolName}.sock";
phpfpmSocketName = "/run/phpfpm/${poolName}.sock";
in
@ -178,12 +178,9 @@ in
config = mkIf cfg.enable {
services.phpfpm.pools = {
services.phpfpm.poolConfigs = {
"${poolName}" = {
socketName = "${poolName}";
phpPackage = pkgs.php;
user = "${cfg.user}";
group = "${cfg.group}";
listen = phpfpmSocketName;
phpOptions = ''
date.timezone = "CET"
@ -195,9 +192,11 @@ in
''}
'';
extraConfig = ''
listen.owner = ${config.services.nginx.user}
listen.group = ${config.services.nginx.group}
listen.owner = nginx
listen.group = nginx
listen.mode = 0600
user = ${cfg.user}
group = ${cfg.group}
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
@ -366,9 +365,6 @@ in
home = runDir;
group = "restya-board";
};
users.users.nginx = {
extraGroups = [ "restya-board" ];
};
users.groups.restya-board = {};
services.postgresql.enable = mkIf (cfg.database.host == null) true;

27
nixos/modules/services/web-apps/selfoss.nix
View File

@ -3,9 +3,9 @@ with lib;
let
cfg = config.services.selfoss;
poolName = "selfoss";
phpfpmSocketName = "/run/phpfpm-${poolName}/${poolName}.sock";
group = "${cfg.user}";
poolName = "selfoss_pool";
phpfpmSocketName = "/run/phpfpm/${poolName}.sock";
dataDir = "/var/lib/selfoss";
selfoss-config =
@ -116,16 +116,13 @@ in
config = mkIf cfg.enable {
services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
"${poolName}" = {
socketName = "${poolName}";
phpPackage = pkgs.php;
user = "${cfg.user}";
group = "${group}";
extraConfig = ''
listen.owner = ${config.services.nginx.user}
listen.group = ${config.services.nginx.group}
services.phpfpm.poolConfigs = mkIf (cfg.pool == "${poolName}") {
"${poolName}" = ''
listen = "${phpfpmSocketName}";
listen.owner = nginx
listen.group = nginx
listen.mode = 0600
user = nginx
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
@ -135,7 +132,6 @@ in
catch_workers_output = 1
'';
};
};
systemd.services.selfoss-config = {
serviceConfig.Type = "oneshot";
@ -149,7 +145,7 @@ in
# Create the files
cp -r "${pkgs.selfoss}/"* "${dataDir}"
ln -sf "${selfoss-config}" "${dataDir}/config.ini"
chown -R "${cfg.user}":"${group}" "${dataDir}"
chown -R "${cfg.user}" "${dataDir}"
chmod -R 755 "${dataDir}"
'';
wantedBy = [ "multi-user.target" ];
@ -166,8 +162,5 @@ in
};
users.users.nginx = {
extraGroups = [ "${group}" ];
};
};
}

12
nixos/modules/services/web-apps/tt-rss.nix
View File

@ -512,14 +512,12 @@ let
services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
"${poolName}" = {
socketName = "${poolName}";
phpPackage = pkgs.php;
user = "${config.services.nginx.user}";
group = "${config.services.nginx.group}";
listen = "/var/run/phpfpm/${poolName}.sock";
extraConfig = ''
listen.owner = ${config.services.nginx.user}
listen.group = ${config.services.nginx.group}
listen.owner = nginx
listen.group = nginx
listen.mode = 0600
user = ${cfg.user}
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
@ -545,7 +543,7 @@ let
locations."~ \.php$" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/phpfpm-${poolName}/${poolName}.sock;
fastcgi_pass unix:${config.services.phpfpm.pools.${cfg.pool}.listen};
fastcgi_index index.php;
'';
};

152
nixos/modules/services/web-servers/phpfpm/default.nix
View File

@ -4,26 +4,37 @@ with lib;
let
cfg = config.services.phpfpm;
enabled = cfg.pools != {};
enabled = cfg.poolConfigs != {} || cfg.pools != {};
poolConfigs = (mapAttrs mapPool cfg.pools);
stateDir = "/run/phpfpm";
poolConfigs =
(mapAttrs mapPoolConfig cfg.poolConfigs) //
(mapAttrs mapPool cfg.pools);
mapPoolConfig = n: p: {
phpPackage = cfg.phpPackage;
phpOptions = cfg.phpOptions;
config = p;
};
mapPool = n: p: {
phpPackage = p.phpPackage;
phpOptions = p.phpOptions;
userPool = p.user;
groupPool = p.group;
config = ''
listen = ${p.listen}
${p.extraConfig}
'';
};
fpmCfgFile = pool: conf: pkgs.writeText "phpfpm-${pool}.conf" ''
[global]
error_log = syslog
daemonize = no
${cfg.globalExtraConfig}
${cfg.extraConfig}
[${pool}]
listen = /run/phpfpm-${pool}/${cfg.pools.${pool}.socketName}.sock
${cfg.pools.${pool}.extraConfig}
${conf}
'';
phpIni = pool: pkgs.runCommand "php.ini" {
@ -38,89 +49,48 @@ let
'';
in {
options = {
services.phpfpm = {
globalExtraConfig = mkOption {
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Global extra configuration that should be put in the global section of
Extra configuration that should be put in the global section of
the PHP-FPM configuration file. Do not specify the options
<literal>error_log</literal> or
<literal>daemonize</literal> here, since they are generated by NixOS.
'';
};
pools = mkOption {
default = {};
type = types.attrsOf (types.submodule {
options = {
socketName = mkOption {
type = types.str;
example = "php-fpm";
description = ''
The address on which to accept FastCGI requests.
<literal>daemonize</literal> here, since they are generated by
NixOS.
'';
};
phpPackage = mkOption {
type = types.package;
default = fpmCfg.phpPackage;
defaultText = "config.services.phpfpm.phpPackage";
default = pkgs.php;
defaultText = "pkgs.php";
description = ''
The PHP package to use for running this PHP-FPM pool.
The PHP package to use for running the PHP-FPM service.
'';
};
phpOptions = mkOption {
type = types.lines;
default = fpmCfg.phpOptions;
defaultText = "config.services.phpfpm.phpOptions";
description = ''
"Options appended to the PHP configuration file <filename>php.ini</filename> used for this PHP-FPM pool."
default = "";
example =
''
date.timezone = "CET"
'';
description =
"Options appended to the PHP configuration file <filename>php.ini</filename>.";
};
user = mkOption {
type = types.string;
default = "phpfpm";
description = "User account under which phpfpm runs.";
};
group = mkOption {
type = types.string;
default = "phpfpm";
description = "Group account under which phpfpm runs.";
};
extraConfig = mkOption {
type = types.lines;
example = ''
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
'';
description = ''
Extra lines that go into the pool configuration.
See the documentation on <literal>php-fpm.conf</literal> for
details on configuration directives.
'';
};
};
});
poolConfigs = mkOption {
default = {};
type = types.attrsOf types.lines;
example = literalExample ''
{
mypool = {
socketName = "example";
phpPackage = pkgs.php;
user = "phpfpm";
group = "phpfpm";
extraConfig = '''
{ mypool = '''
listen = /run/phpfpm/mypool
user = nobody
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
@ -129,8 +99,36 @@ in {
pm.max_requests = 500
''';
}
}
'';
description = ''
A mapping between PHP-FPM pool names and their configurations.
See the documentation on <literal>php-fpm.conf</literal> for
details on configuration directives. If no pools are defined,
the phpfpm service is disabled.
'';
};
pools = mkOption {
type = types.attrsOf (types.submodule (import ./pool-options.nix {
inherit lib config;
}));
default = {};
example = literalExample ''
{
mypool = {
listen = "/path/to/unix/socket";
phpPackage = pkgs.php;
extraConfig = '''
user = nobody
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
''';
}
}'';
description = ''
PHP-FPM pools. If no pools or poolConfigs are defined, the PHP-FPM
service is disabled.
@ -156,6 +154,9 @@ in {
after = [ "network.target" ];
wantedBy = [ "phpfpm.target" ];
partOf = [ "phpfpm.target" ];
preStart = ''
mkdir -p ${stateDir}
'';
serviceConfig = let
cfgFile = fpmCfgFile pool poolConfig.config;
iniFile = phpIni poolConfig;
@ -165,19 +166,10 @@ in {
ProtectSystem = "full";
ProtectHome = true;
# XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
Type = "notify";
ExecStart = "${poolConfig.phpPackage}/bin/php-fpm -y '${cfgFile}' -c '${iniFile}'";
ExecStart = "${poolConfig.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${iniFile}";
ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
# User and group
User = "${poolConfig.userPool}";
Group = "${poolConfig.groupPool}";
# Runtime directory and mode
RuntimeDirectory = "phpfpm-${pool}";
RuntimeDirectoryMode = "0750";
# Capabilities
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_CHOWN" "CAP_SYS_RESOURCE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_CHOWN" "CAP_SYS_RESOURCE" ];
};
}
);

57
nixos/modules/services/web-servers/phpfpm/pool-options.nix Normal file
View File

@ -0,0 +1,57 @@
{ lib, config }:
let
fpmCfg = config.services.phpfpm;
in
with lib; {
options = {
listen = mkOption {
type = types.str;
example = "/path/to/unix/socket";
description = ''
The address on which to accept FastCGI requests.
'';
};
phpPackage = mkOption {
type = types.package;
default = fpmCfg.phpPackage;
defaultText = "config.services.phpfpm.phpPackage";
description = ''
The PHP package to use for running this PHP-FPM pool.
'';
};
phpOptions = mkOption {
type = types.lines;
default = fpmCfg.phpOptions;
defaultText = "config.services.phpfpm.phpOptions";
description = ''
"Options appended to the PHP configuration file <filename>php.ini</filename> used for this PHP-FPM pool."
'';
};
extraConfig = mkOption {
type = types.lines;
example = ''
user = nobody
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
'';
description = ''
Extra lines that go into the pool configuration.
See the documentation on <literal>php-fpm.conf</literal> for
details on configuration directives.
'';
};
};
}