From 04b028cd8e3f337693e0cfd45feeecf0e07b534e Mon Sep 17 00:00:00 2001 From: phil Date: Wed, 8 Feb 2023 09:02:57 +0100 Subject: [PATCH] Create system user and systemd service/socket --- README.md | 16 ++++++++++++++++ tasks/main.yml | 10 ++++++++-- tasks/user.yml | 44 +++++++++++++++++++++++++++++++++++++++++++ templates/fpmpool.cfg | 24 +++++++++++++++++++++++ 4 files changed, 92 insertions(+), 2 deletions(-) create mode 100644 tasks/user.yml create mode 100644 templates/fpmpool.cfg diff --git a/README.md b/README.md index 89670b6..6de36c2 100644 --- a/README.md +++ b/README.md @@ -25,3 +25,19 @@ php: memory_limit: 256M post_max_size: 30M ``` + +## Nutzerkonto und PHP-FPM-Service anlegen + +Per Ansible Tag kann ein Systemkonto und ein PHP-FPM-Socket und Service angelegt werden. Am Beispiel des playbooks `php.yml`: +```Shell +ansible-playbook playbooks/php.yml --tags never,user -e "php_user=foobar create_home=true" +``` + +Systemd-Socket und Service sind anschließend als `php-fpm@{{ php_user }}.[socket|service]` verfügbar. + +### Varibablen + +| Variable | default | Bedeutung | +|--|--|--| +| php_user | |Erforderlich, Nutzername des neuen Systemkontos | +| create_home | false | Optional, Anlegen des Homedirs unter `/home/{{ php_user }}` | diff --git a/tasks/main.yml b/tasks/main.yml index 4cdbf04..d7693c2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,6 @@ --- -- import_tasks: packages.yml +- name: Package tasks + ansible.builtin.import_tasks: packages.yml tags: packages - name: "Get PHP version" @@ -9,5 +10,10 @@ changed_when: false check_mode: false -- import_tasks: php.yml +- name: PHP tasks + ansible.builtin.import_tasks: php.yml tags: php + +- name: User tasks + ansible.builtin.import_tasks: user.yml + tags: never, user diff --git a/tasks/user.yml b/tasks/user.yml new file mode 100644 index 0000000..4a4e901 --- /dev/null +++ b/tasks/user.yml @@ -0,0 +1,44 @@ +--- +- name: "User | Create systemd user" + ansible.builtin.user: + name: "{{ php_user }}" + shell: /bin/false + create_home: "{{ create_home | default('false') }}" + password_lock: true + +- name: "User | Add www-data to user group" + ansible.builtin.user: + name: www-data + groups: "{{ php_user }}" + append: true + +- name: "User | Create log file" + ansible.builtin.file: + path: "{{ php_fpm_log_dir }}/{{ php_user }}.log" + state: touch + owner: "{{ php_user }}" + group: "{{ php_user }}" + mode: 0644 + +- name: "User | Create PHP-FPM pool" + ansible.builtin.template: + src: fpmpool.cfg + dest: "/etc/php/{{ php_version.stdout }}/fpm/pool.d/{{ php_user }}.cfg" + mode: 0644 + notify: + - stop php-fpm-socket + - stop php-fpm-service + - start php-fpm-socket + +- name: "User | Enable systemd socket" + ansible.builtin.systemd: + name: "php-fpm@{{ php_user }}.socket" + enabled: true + state: started + daemon_reload: true + +- name: "User | Enable systemd service" + ansible.builtin.systemd: + name: "php-fpm@{{ php_user }}.service" + enabled: true + daemon-reload: true diff --git a/templates/fpmpool.cfg b/templates/fpmpool.cfg new file mode 100644 index 0000000..73d2950 --- /dev/null +++ b/templates/fpmpool.cfg @@ -0,0 +1,24 @@ +[global] +error_log = ${FPM_ERROR_LOG} + +[{{ php_user }}] +listen = ${FPM_SOCKET_PATH} +pm = ondemand +pm.max_children = 5 +pm.start_servers = 2 +pm.process_idle_timeout = 10s +pm.max_requests = 200 +pm.status_path = /status +chdir = / +clear_env = no +security.limit_extensions = .php .php3 .php4 .php5 +php_admin_value[opcache.validate_permission] = 1 +php_admin_value[opcache.validate_root] = 1 +php_admin_value[session.cookie_samesite] = Lax +php_admin_value[openssl.capath] = /etc/ssl/certs +php_flag[display_errors] = off +php_admin_flag[log_errors] = on +php_admin_value[memory_limit] = {{ php.memory_limit | default('256M') }} +php_admin_value[upload_max_filesize] = {{ php.upload_max_filesize | default('30M') }} +php_admin_value[post_max_size] = {{ php.post_max_size | default('30M') }} +php_admin_value[disable_functions] = mail,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_exec,passthru,system,proc_get_status,proc_close,proc_nice,proc_terminate,proc_open,curl_ini,parse_ini_file,show_source,dl,symlink,system_exec,exec,shell_exec,phpinfo