Do not limit service by default

2023-11-01 08:08:21 +01:00 · 2023-11-01 08:08:21 +01:00 · 6c6227919d
commit 6c6227919d
parent 90de9d5861
6 changed files with 8 additions and 6 deletions
--- a/templates/systemd/php-fpm@.service.j2
+++ b/templates/systemd/php-fpm@.service.j2
@ -0,0 +1,55 @@
+# {{ ansible_managed }}
+#
+# This service can be enabled for each user.
+# It uses a single php-fpm configuration file.
+# User-specific settings can be overridden via environment variables (see "FPM_SOCKET_PATH" below).
+
+[Unit]
+Description=The PHP FastCGI Process Manager for %I
+Documentation=man:php-fpm{{ php_version.stdout }}(8)
+After=network.target
+Requires=php-fpm@%i.socket
+
+[Service]
+User={{ php_fpm_user | default('%i') }}
+Group={{ php_fpm_group | default('%i') }}
+Type=notify
+Environment="FPM_SOCKETS=/run/php/php-fpm-%i.sock=3"
+Environment="FPM_ERROR_LOG={{ php_fpm_log_dir }}/{{ php_fpm_log_file | default('%i.log') }}"
+# this variable is used in the pool configuration file
+Environment="FPM_SOCKET_PATH=/run/php/php-fpm-%i.sock"
+ExecStart=/usr/sbin/php-fpm{{ php_version.stdout }} --nodaemonize --fpm-config {{ php_fpm_pool_config_file }}
+ExecReload=/bin/kill -USR2 $MAINPID
+KillMode=process
+Restart=on-failure
+RestartSec=30s
+
+# Hardening
+# https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in
+PrivateDevices=true
+PrivateTmp=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RestrictRealtime=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+# Resources
+{% if php_fpm_cpu_quota is defined %}
+CPUQuota={{ php_fpm_cpu_quota }}
+{% endif %}
+{% if php_fpm_memory_high is defined %}
+MemoryHigh={{ php_fpm_memory_high }}
+{% endif %}
+{% if php_fpm_memory_max is defined %}
+MemoryMax={{ php_fpm_memory_max }}
+{% endif %}
+
+[Install]
+WantedBy=multi-user.target