From fc7c14eda5345737f37342b3050c3747b6316056 Mon Sep 17 00:00:00 2001 From: phil Date: Thu, 18 Aug 2022 08:40:39 +0200 Subject: [PATCH] php: Erstelle allgemeine PHP-FPM-Konfiguration --- defaults/main.yml | 3 +- files/systemd/php-fpm@.socket | 11 +++++++ handlers/main.yml | 9 ++++++ tasks/php.yml | 23 ++++++++++++++ templates/systemd/php-fpm@.service.j2 | 43 +++++++++++++++++++++++++++ 5 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 files/systemd/php-fpm@.socket create mode 100644 templates/systemd/php-fpm@.service.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 73b314f..a416eef 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1 +1,2 @@ ---- \ No newline at end of file +--- +php_fpm_log_dir: /var/log/phpfpm diff --git a/files/systemd/php-fpm@.socket b/files/systemd/php-fpm@.socket new file mode 100644 index 0000000..6b9313e --- /dev/null +++ b/files/systemd/php-fpm@.socket @@ -0,0 +1,11 @@ +[Unit] +After=network-online.target + +[Socket] +SocketUser=%i +SocketGroup=%i +SocketMode=0660 +ListenStream=/run/php/php-fpm-%i.sock + +[Install] +WantedBy=sockets.target diff --git a/handlers/main.yml b/handlers/main.yml index ebea416..8e027d3 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -8,3 +8,12 @@ service: name: "php{{ php_version.stdout }}-fpm" state: reloaded + +- name: stop php-fpm-socket + command: systemctl stop php-fpm@*.socket + +- name: stop php-fpm-service + command: systemctl stop php-fpm@*.service + +- name: start php-fpm-socket + command: systemctl start php-fpm@*.socket --all diff --git a/tasks/php.yml b/tasks/php.yml index 6c68a14..fcfc8b2 100644 --- a/tasks/php.yml +++ b/tasks/php.yml @@ -21,6 +21,11 @@ dest: "/etc/php/{{ php_version.stdout }}/cli/conf.d/30-sao.ini" state: link +- name: "php | Erstelle Log-Verzeichnis" + file: + path: "{{ php_fpm_log_dir }}" + state: directory + - name: "php | Verlinke FPM-Konfiguration" file: src: "/etc/php/{{ php_version.stdout }}/mods-available/sao-fpm.ini" @@ -28,3 +33,21 @@ state: link when: "'php-fpm' in ansible_facts.packages" notify: reload php-fpm + +- name: "php | Kopiere Template für PHP-FPM systemd socket" + copy: + src: systemd/php-fpm@.socket + dest: /etc/systemd/system/php-fpm@.socket + notify: + - stop php-fpm-socket + - stop php-fpm-service + - start php-fpm-socket + +- name: "php | Kopiere Template für PHP-FPM systemd service" + template: + src: systemd/php-fpm@.service.j2 + dest: /etc/systemd/system/php-fpm@.service + notify: + - stop php-fpm-socket + - stop php-fpm-service + - start php-fpm-socket diff --git a/templates/systemd/php-fpm@.service.j2 b/templates/systemd/php-fpm@.service.j2 new file mode 100644 index 0000000..348bdb2 --- /dev/null +++ b/templates/systemd/php-fpm@.service.j2 @@ -0,0 +1,43 @@ +# {{ ansible_managed }} +# +# This service can be enabled for Wordpress site. +# It uses a single php-fpm configuration file. +# User-specific settings can be overridden via environment variables (see "FPM_SOCKET_PATH" below). + +[Unit] +Description=The PHP FastCGI Process Manager for %I +Documentation=man:php-fpm{{ php_version.stdout }}(8) +After=network.target +Requires=php-fpm@%i.socket + +[Service] +User=%i +Group=%i +Type=notify +Environment="FPM_SOCKETS=/run/php/php-fpm-%i.sock=3" +Environment="FPM_ERROR_LOG={{ php_fpm_log_dir }}/%i.log" +# this variable is used in the pool configuration file +Environment="FPM_SOCKET_PATH=/run/php/php-fpm-%i.sock" +ExecStart=/usr/sbin/php-fpm{{ php_version.stdout }} --nodaemonize --fpm-config /etc/php/{{ php_version.stdout }}/fpm/pool.d/%i.cfg +ExecReload=/bin/kill -USR2 $MAINPID +KillMode=process +Restart=on-failure +RestartSec=30s + +# Hardening +# https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in +PrivateDevices=true +PrivateTmp=true +ProtectClock=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full +RestrictRealtime=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictNamespaces=true +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM + +[Install] +WantedBy=multi-user.target