movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-18 07:29:23 +03:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #63156 from Izorkin/phpfpm-rootless

Browse source 
phpfpm: do not run anything as root
This commit is contained in:
Elis Hirwing 2019-06-27 19:13:53 +02:00 committed by GitHub
commit b5478fd1a2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 231 additions and 242 deletions
Download patch file Download diff file Expand all files Collapse all files

36
nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix
View file

@ -1,7 +1,6 @@
{ config, lib, pkgs, ... }: with lib; let
cfg = config.services.icingaweb2;
poolName = "icingaweb2";
phpfpmSocketName = "/var/run/phpfpm/${poolName}.sock";
defaultConfig = {
global = {
@ -162,19 +161,23 @@ in {
};
config = mkIf cfg.enable {
services.phpfpm.poolConfigs = mkIf (cfg.pool == "${poolName}") {
"${poolName}" = ''
listen = "${phpfpmSocketName}"
listen.owner = nginx
listen.group = nginx
listen.mode = 0600
user = icingaweb2
pm = dynamic
pm.max_children = 75
pm.start_servers = 2
pm.min_spare_servers = 2
pm.max_spare_servers = 10
'';
services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
"${poolName}" = {
socketName = "${poolName}";
phpPackage = pkgs.php;
user = "icingaweb2";
group = "icingaweb2";
extraConfig = ''
listen.owner = ${config.services.nginx.user}
listen.group = ${config.services.nginx.group}
listen.mode = 0600
pm = dynamic
pm.max_children = 75
pm.start_servers = 2
pm.min_spare_servers = 2
pm.max_spare_servers = 10
'';
};
};
services.phpfpm.phpOptions = mkIf (cfg.pool == "${poolName}")
@ -206,7 +209,7 @@ in {
include ${config.services.nginx.package}/conf/fastcgi.conf;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${phpfpmSocketName};
fastcgi_pass unix:/run/phpfpm-${poolName}/${poolName}.sock;
fastcgi_param SCRIPT_FILENAME ${pkgs.icingaweb2}/public/index.php;
'';
};
@ -239,5 +242,8 @@ in {
group = "icingaweb2";
isSystemUser = true;
};
users.users.nginx = {
extraGroups = [ "icingaweb2" ];
};
};
}

8
nixos/modules/services/web-apps/limesurvey.nix
View file

@ -202,13 +202,13 @@ in
};
services.phpfpm.pools.limesurvey = {
socketName = "limesurvey";
phpPackage = php;
listen = "/run/phpfpm/limesurvey.sock";
user = "${user}";
group = "${group}";
extraConfig = ''
listen.owner = ${config.services.httpd.user};
listen.group = ${config.services.httpd.group};
user = ${user};
group = ${group};
env[LIMESURVEY_CONFIG] = ${limesurveyConfig}
@ -241,7 +241,7 @@ in
<Directory "${pkg}/share/limesurvey">
<FilesMatch "\.php$">
<If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:/run/phpfpm/limesurvey.sock|fcgi://localhost/"
SetHandler "proxy:unix:/run/phpfpm-limesurvey/limesurvey.sock|fcgi://localhost/"
</If>
</FilesMatch>

38
nixos/modules/services/web-apps/matomo.nix
View file

@ -4,13 +4,14 @@ let
cfg = config.services.matomo;
user = "matomo";
group = "matomo";
dataDir = "/var/lib/${user}";
deprecatedDataDir = "/var/lib/piwik";
pool = user;
# it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770,
# it's not possible to use /run/phpfpm-${pool}/${pool}.sock because /run/phpfpm/ is root:root 0770,
# and therefore is not accessible by the web server.
phpSocket = "/run/phpfpm-${pool}.sock";
phpSocket = "/run/phpfpm-${pool}/${pool}.sock";
phpExecutionUnit = "phpfpm-${pool}";
databaseService = "mysql.service";
@ -137,9 +138,12 @@ in {
isSystemUser = true;
createHome = true;
home = dataDir;
group = user;
group = "${group}";
};
users.groups.${user} = {};
users.users.${config.services.nginx.user} = {
extraGroups = [ "${group}" ];
};
users.groups.${group} = {};
systemd.services.matomo-setup-update = {
# everything needs to set up and up to date before Matomo php files are executed
@ -169,7 +173,7 @@ in {
echo "Migrating from ${deprecatedDataDir} to ${dataDir}"
mv -T ${deprecatedDataDir} ${dataDir}
fi
chown -R ${user}:${user} ${dataDir}
chown -R ${user}:${group} ${dataDir}
chmod -R ug+rwX,o-rwx ${dataDir}
'';
script = ''
@ -225,22 +229,26 @@ in {
serviceConfig.UMask = "0007";
};
services.phpfpm.poolConfigs = let
services.phpfpm.pools = let
# workaround for when both are null and need to generate a string,
# which is illegal, but as assertions apparently are being triggered *after* config generation,
# we have to avoid already throwing errors at this previous stage.
socketOwner = if (cfg.nginx != null) then config.services.nginx.user
else if (cfg.webServerUser != null) then cfg.webServerUser else "";
in {
${pool} = ''
listen = "${phpSocket}"
listen.owner = ${socketOwner}
listen.group = root
listen.mode = 0600
user = ${user}
env[PIWIK_USER_PATH] = ${dataDir}
${cfg.phpfpmProcessManagerConfig}
'';
${pool} = {
socketName = "${pool}";
phpPackage = pkgs.php;
user = "${user}";
group = "${group}";
extraConfig = ''
listen.owner = ${socketOwner}
listen.group = ${group}
listen.mode = 0600
env[PIWIK_USER_PATH] = ${dataDir}
${cfg.phpfpmProcessManagerConfig}
'';
};
};

13
nixos/modules/services/web-apps/nextcloud.nix
View file

@ -394,13 +394,14 @@ in {
phpOptions)));
in {
phpOptions = phpOptionsExtensions;
socketName = "nextcloud";
phpPackage = phpPackage;
listen = "/run/phpfpm/nextcloud";
user = "nextcloud";
group = "${config.services.nginx.group}";
extraConfig = ''
listen.owner = nginx
listen.group = nginx
user = nextcloud
group = nginx
listen.owner = ${config.services.nginx.user}
listen.group = ${config.services.nginx.group}
listen.mode = 0600
${cfg.poolConfig}
env[NEXTCLOUD_CONFIG_DIR] = ${cfg.home}/config
env[PATH] = /run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin
@ -466,7 +467,7 @@ in {
fastcgi_param HTTPS ${if cfg.https then "on" else "off"};
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass unix:/run/phpfpm/nextcloud;
fastcgi_pass unix:/run/phpfpm-nextcloud/nextcloud.sock;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_read_timeout 120s;

18
nixos/modules/services/web-apps/restya-board.nix
View file

@ -13,7 +13,7 @@ let
runDir = "/run/restya-board";
poolName = "restya-board";
phpfpmSocketName = "/run/phpfpm/${poolName}.sock";
phpfpmSocketName = "/run/phpfpm-${poolName}/${poolName}.sock";
in
@ -178,9 +178,12 @@ in
config = mkIf cfg.enable {
services.phpfpm.poolConfigs = {
services.phpfpm.pools = {
"${poolName}" = {
listen = phpfpmSocketName;
socketName = "${poolName}";
phpPackage = pkgs.php;
user = "${cfg.user}";
group = "${cfg.group}";
phpOptions = ''
date.timezone = "CET"
@ -192,11 +195,9 @@ in
''}
'';
extraConfig = ''
listen.owner = nginx
listen.group = nginx
listen.owner = ${config.services.nginx.user}
listen.group = ${config.services.nginx.group}
listen.mode = 0600
user = ${cfg.user}
group = ${cfg.group}
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
@ -365,6 +366,9 @@ in
home = runDir;
group = "restya-board";
};
users.users.nginx = {
extraGroups = [ "restya-board" ];
};
users.groups.restya-board = {};
services.postgresql.enable = mkIf (cfg.database.host == null) true;

45
nixos/modules/services/web-apps/selfoss.nix
View file

@ -3,9 +3,9 @@ with lib;
let
cfg = config.services.selfoss;
poolName = "selfoss_pool";
phpfpmSocketName = "/run/phpfpm/${poolName}.sock";
poolName = "selfoss";
phpfpmSocketName = "/run/phpfpm-${poolName}/${poolName}.sock";
group = "${cfg.user}";
dataDir = "/var/lib/selfoss";
selfoss-config =
@ -116,21 +116,25 @@ in
config = mkIf cfg.enable {
services.phpfpm.poolConfigs = mkIf (cfg.pool == "${poolName}") {
"${poolName}" = ''
listen = "${phpfpmSocketName}";
listen.owner = nginx
listen.group = nginx
listen.mode = 0600
user = nginx
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
catch_workers_output = 1
'';
services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
"${poolName}" = {
socketName = "${poolName}";
phpPackage = pkgs.php;
user = "${cfg.user}";
group = "${group}";
extraConfig = ''
listen.owner = ${config.services.nginx.user}
listen.group = ${config.services.nginx.group}
listen.mode = 0600
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
catch_workers_output = 1
'';
};
};
systemd.services.selfoss-config = {
@ -145,7 +149,7 @@ in
# Create the files
cp -r "${pkgs.selfoss}/"* "${dataDir}"
ln -sf "${selfoss-config}" "${dataDir}/config.ini"
chown -R "${cfg.user}" "${dataDir}"
chown -R "${cfg.user}":"${group}" "${dataDir}"
chmod -R 755 "${dataDir}"
'';
wantedBy = [ "multi-user.target" ];
@ -162,5 +166,8 @@ in
};
users.users.nginx = {
extraGroups = [ "${group}" ];
};
};
}

12
nixos/modules/services/web-apps/tt-rss.nix
View file

@ -512,12 +512,14 @@ let
services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
"${poolName}" = {
listen = "/var/run/phpfpm/${poolName}.sock";
socketName = "${poolName}";
phpPackage = pkgs.php;
user = "${config.services.nginx.user}";
group = "${config.services.nginx.group}";
extraConfig = ''
listen.owner = nginx
listen.group = nginx
listen.owner = ${config.services.nginx.user}
listen.group = ${config.services.nginx.group}
listen.mode = 0600
user = ${cfg.user}
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
@ -543,7 +545,7 @@ let
locations."~ \.php$" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.${cfg.pool}.listen};
fastcgi_pass unix:/run/phpfpm-${poolName}/${poolName}.sock;
fastcgi_index index.php;
'';
};