ansible-role-php/templates/systemd/php-fpm@.service.j2

58 lines
1.7 KiB
Text
Raw Normal View History

# {{ ansible_managed }}
#
2023-02-25 21:25:34 +01:00
# This service can be enabled for each user.
# It uses a single php-fpm configuration file.
# User-specific settings can be overridden via environment variables (see "FPM_SOCKET_PATH" below).
[Unit]
Description=The PHP FastCGI Process Manager for %I
Documentation=man:php-fpm{{ php_version.stdout }}(8)
After=network.target
Requires=php-fpm@%i.socket
2023-11-24 17:39:00 +01:00
StartLimitInterval=10
StartLimitBurst=10
[Service]
2023-02-25 21:25:34 +01:00
User={{ php_fpm_user | default('%i') }}
Group={{ php_fpm_group | default('%i') }}
Type=notify
Environment="FPM_SOCKETS=/run/php/php-fpm-%i.sock=3"
2023-02-25 21:25:34 +01:00
Environment="FPM_ERROR_LOG={{ php_fpm_log_dir }}/{{ php_fpm_log_file | default('%i.log') }}"
# this variable is used in the pool configuration file
Environment="FPM_SOCKET_PATH=/run/php/php-fpm-%i.sock"
2023-02-25 21:25:34 +01:00
ExecStart=/usr/sbin/php-fpm{{ php_version.stdout }} --nodaemonize --fpm-config {{ php_fpm_pool_config_file }}
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=process
2023-11-24 17:39:29 +01:00
Restart=always
RestartSec=15s
# Hardening
# https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in
PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictRealtime=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
2023-02-25 20:32:51 +01:00
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
2023-02-25 20:32:51 +01:00
SystemCallFilter=@system-service
2023-11-01 08:08:21 +01:00
{% if php_fpm_cpu_quota is defined %}
2023-11-24 17:39:29 +01:00
# Resources
2023-02-25 21:25:34 +01:00
CPUQuota={{ php_fpm_cpu_quota }}
2023-11-01 08:08:21 +01:00
{% endif %}
{% if php_fpm_memory_high is defined %}
2023-02-25 21:25:34 +01:00
MemoryHigh={{ php_fpm_memory_high }}
2023-11-01 08:08:21 +01:00
{% endif %}
{% if php_fpm_memory_max is defined %}
2023-02-25 21:25:34 +01:00
MemoryMax={{ php_fpm_memory_max }}
2023-11-01 08:08:21 +01:00
{% endif %}
[Install]
WantedBy=multi-user.target