nextcloud: Eigener PHP-FPM-Master pro Nextcloud-Instanz

2022-07-26 16:44:42 +02:00 · 2022-07-26 16:44:42 +02:00 · a996e6ebeb
commit a996e6ebeb
parent 230c3f538f
19 changed files with 231 additions and 105 deletions
--- a/templates/apache_alias.j2
+++ b/templates/apache_alias.j2
@ -1,5 +1,5 @@
 {% if instance.alias is defined %}
-  {% for alias in instance.alias %}
+{% for alias in instance.alias %}
 ServerAlias {{ alias }}
-  {% endfor %}
+{% endfor %}
 {% endif %}
--- a/templates/nginx_site.j2
+++ b/templates/nginx_site.j2
@ -1,6 +1,6 @@
 server {
        listen 80;
-	server_name {{ instance.domain }};
+	server_name {{ instance.name }};
 {% if instance.alias is defined %}
  {% for alias in instance.alias %}
 	server_name {{ alias }};
@ -12,9 +12,9 @@ server {

 server {
 	listen 443 ssl http2;
-        server_name {{ instance.domain }};
-        ssl_certificate /var/lib/dehydrated/certs/{{ instance.domain }}/fullchain.pem;
-        ssl_certificate_key /var/lib/dehydrated/certs/{{ instance.domain }}/privkey.pem;
+        server_name {{ instance.name }};
+        ssl_certificate /var/lib/dehydrated/certs/{{ instance.name }}/fullchain.pem;
+        ssl_certificate_key /var/lib/dehydrated/certs/{{ instance.name }}/privkey.pem;
        include /etc/nginx/proxy_params;
        add_header Referrer-Policy $referrerpolicy;
        add_header Strict-Transport-Security $sts;
--- a/templates/php_fpm_pool.j2
+++ b/templates/php_fpm_pool.j2
@ -1,40 +1,32 @@
+[global]
+error_log = ${FPM_ERROR_LOG}
+
 [{{ instance.user }}]
-;prefix = /path/to/pools/$pool
-user = $pool
-group = $pool
-listen = /run/php/php-fpm-$pool.sock
-listen.owner =  $pool
-listen.group = www-data
-listen.mode = 0660
-listen.allowed_clients = 127.0.0.1
+listen = ${FPM_SOCKET_PATH}
 pm = dynamic
 pm.max_children = 60
 pm.start_servers = 10
 pm.min_spare_servers = 10
 pm.max_spare_servers = 30
-pm.process_idle_timeout = 10s;
-pm.max_requests = 100
+pm.process_idle_timeout = 10s
+pm.max_requests = 200
 pm.status_path = /status
 chdir = /
 clear_env = no
 security.limit_extensions = .php .php3 .php4 .php5
-env[HOSTNAME] = $HOSTNAME
-env[PATH] = /usr/local/bin:/usr/bin:/bin
-env[TMP] = /tmp
-env[TMPDIR] = /tmp
-env[TEMP] = /tmp
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
-;php_flag[display_errors] = off
-;php_admin_value[error_log] = /var/log/fpm-php.www.log
-;php_admin_flag[log_errors] = on
-php_admin_value[memory_limit] = {{ nextcloud_php_memory_limit }}
-php_admin_value[upload_max_filesize] = {{ nextcloud_php_upload_limit }}
-php_admin_value[post_max_size] = {{ nextcloud_php_upload_limit }}
-php_admin_value[opcache.enable] = 1
+php_admin_value[opcache.validate_permission] = 1
+php_admin_value[opcache.validate_root] = 1
 php_admin_value[opcache.interned_strings_buffer] = 8
 php_admin_value[opcache.max_accelerated_files] = 10000
 php_admin_value[opcache.memory_consumption] = 128
 php_admin_value[opcache.save_comments] = 1
 php_admin_value[opcache.revalidate_freq] = 1
+php_admin_value[session.cookie_samesite] = Lax
+php_admin_value[openssl.capath] = /etc/ssl/certs
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[memory_limit] = {{ nextcloud_php_memory_limit }}
+php_admin_value[upload_max_filesize] = {{ nextcloud_php_upload_limit }}
+php_admin_value[post_max_size] = {{ nextcloud_php_upload_limit }}
 php_admin_value[open_basedir] = {{ nextcloud_install_path }}:/tmp:/dev/urandom:/proc/meminfo:/var/log:/sys/class/net/eth0:/sys/class/net/lo
 ;php_admin_value[disable_functions] = mail,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_exec,passthru,system,proc_get_status,proc_close,proc_nice,proc_terminate,proc_open,curl_ini,parse_ini_file,show_source,dl,symlink,system_exec,exec,shell_exec,phpinfo
--- a/templates/systemd/php-fpm@.service.j2
+++ b/templates/systemd/php-fpm@.service.j2
@ -0,0 +1,43 @@
+# {{ ansible_managed }}
+#
+# This service can be enabled for Wordpress site.
+# It uses a single php-fpm configuration file.
+# User-specific settings can be overridden via environment variables (see "FPM_SOCKET_PATH" below).
+
+[Unit]
+Description=The PHP FastCGI Process Manager for %I
+Documentation=man:php-fpm{{ php_version.stdout }}(8)
+After=network.target
+Requires=php-fpm@%i.socket
+
+[Service]
+User=%i
+Group=%i
+Type=notify
+Environment="FPM_SOCKETS=/run/php/php-fpm-%i.sock=3"
+Environment="FPM_ERROR_LOG={{ php_fpm_log_dir }}/%i.log"
+# this variable is used in the pool configuration file
+Environment="FPM_SOCKET_PATH=/run/php/php-fpm-%i.sock"
+ExecStart=/usr/sbin/php-fpm{{ php_version.stdout }} --nodaemonize --fpm-config {{ php_fpm_pool_dir }}/%i.cfg
+ExecReload=/bin/kill -USR2 $MAINPID
+KillMode=process
+Restart=on-failure
+RestartSec=30s
+
+# Hardening
+# https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in
+PrivateDevices=true
+PrivateTmp=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RestrictRealtime=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=true
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+[Install]
+WantedBy=multi-user.target