Create system user and systemd service/socket

README.md

@@ -25,3 +25,19 @@ php:
   memory_limit: 256M
   post_max_size: 30M
 ```
+
+## Nutzerkonto und PHP-FPM-Service anlegen
+
+Per Ansible Tag kann ein Systemkonto und ein PHP-FPM-Socket und Service angelegt werden. Am Beispiel des playbooks `php.yml`:
+```Shell
+ansible-playbook playbooks/php.yml --tags never,user -e "php_user=foobar create_home=true"
+```
+
+Systemd-Socket und Service sind anschließend als `php-fpm@{{ php_user }}.[socket|service]` verfügbar.
+
+### Varibablen
+
+| Variable | default | Bedeutung |
+|--|--|--|
+| php_user | |Erforderlich, Nutzername des neuen Systemkontos |
+| create_home | false | Optional, Anlegen des Homedirs unter `/home/{{ php_user }}` |

tasks/main.yml

@@ -1,5 +1,6 @@
 ---
-- import_tasks: packages.yml
+- name: Package tasks
+  ansible.builtin.import_tasks: packages.yml
   tags: packages
 
 - name: "Get PHP version"
@@ -9,5 +10,10 @@
   changed_when: false
   check_mode: false
 
-- import_tasks: php.yml
+- name: PHP tasks
+  ansible.builtin.import_tasks: php.yml
   tags: php
+
+- name: User tasks
+  ansible.builtin.import_tasks: user.yml
+  tags: never, user

tasks/user.yml

@@ -0,0 +1,44 @@
+---
+- name: "User | Create systemd user"
+  ansible.builtin.user:
+    name: "{{ php_user }}"
+    shell: /bin/false
+    create_home: "{{ create_home | default('false') }}"
+    password_lock: true
+
+- name: "User | Add www-data to user group"
+  ansible.builtin.user:
+    name: www-data
+    groups: "{{ php_user }}"
+    append: true
+
+- name: "User | Create log file"
+  ansible.builtin.file:
+    path: "{{ php_fpm_log_dir }}/{{ php_user }}.log"
+    state: touch
+    owner: "{{ php_user }}"
+    group: "{{ php_user }}"
+    mode: 0644
+
+- name: "User | Create PHP-FPM pool"
+  ansible.builtin.template:
+    src: fpmpool.cfg
+    dest: "/etc/php/{{ php_version.stdout }}/fpm/pool.d/{{ php_user }}.cfg"
+    mode: 0644
+  notify:
+    - stop php-fpm-socket
+    - stop php-fpm-service
+    - start php-fpm-socket
+
+- name: "User | Enable systemd socket"
+  ansible.builtin.systemd:
+    name: "php-fpm@{{ php_user }}.socket"
+    enabled: true
+    state: started
+    daemon_reload: true
+
+- name: "User | Enable systemd service"
+  ansible.builtin.systemd:
+    name: "php-fpm@{{ php_user }}.service"
+    enabled: true
+    daemon-reload: true

templates/fpmpool.cfg

@@ -0,0 +1,24 @@
+[global]
+error_log = ${FPM_ERROR_LOG}
+
+[{{ php_user }}]
+listen = ${FPM_SOCKET_PATH}
+pm = ondemand
+pm.max_children = 5
+pm.start_servers = 2
+pm.process_idle_timeout = 10s
+pm.max_requests = 200
+pm.status_path = /status
+chdir = /
+clear_env = no
+security.limit_extensions = .php .php3 .php4 .php5
+php_admin_value[opcache.validate_permission] = 1
+php_admin_value[opcache.validate_root] = 1
+php_admin_value[session.cookie_samesite] = Lax
+php_admin_value[openssl.capath] = /etc/ssl/certs
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[memory_limit] = {{ php.memory_limit | default('256M') }}
+php_admin_value[upload_max_filesize] = {{ php.upload_max_filesize | default('30M') }}
+php_admin_value[post_max_size] = {{ php.post_max_size | default('30M') }}
+php_admin_value[disable_functions] = mail,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_exec,passthru,system,proc_get_status,proc_close,proc_nice,proc_terminate,proc_open,curl_ini,parse_ini_file,show_source,dl,symlink,system_exec,exec,shell_exec,phpinfo