php: Erstelle allgemeine PHP-FPM-Konfiguration

defaults/main.yml

@@ -1 +1,2 @@
----
+---
+php_fpm_log_dir: /var/log/phpfpm

files/systemd/php-fpm@.socket

@@ -0,0 +1,11 @@
+[Unit]
+After=network-online.target
+
+[Socket]
+SocketUser=%i
+SocketGroup=%i
+SocketMode=0660
+ListenStream=/run/php/php-fpm-%i.sock
+
+[Install]
+WantedBy=sockets.target

handlers/main.yml

@@ -8,3 +8,12 @@
   service:
     name: "php{{ php_version.stdout }}-fpm"
     state: reloaded
+
+- name: stop php-fpm-socket
+  command: systemctl stop php-fpm@*.socket
+
+- name: stop php-fpm-service
+  command: systemctl stop php-fpm@*.service
+
+- name: start php-fpm-socket
+  command: systemctl start php-fpm@*.socket --all

tasks/php.yml

@@ -21,6 +21,11 @@
     dest: "/etc/php/{{ php_version.stdout }}/cli/conf.d/30-sao.ini"
     state: link
 
+- name: "php | Erstelle Log-Verzeichnis"
+  file:
+    path: "{{ php_fpm_log_dir }}"
+    state: directory
+
 - name: "php | Verlinke FPM-Konfiguration"
   file:
     src: "/etc/php/{{ php_version.stdout }}/mods-available/sao-fpm.ini"
@@ -28,3 +33,21 @@
     state: link
   when: "'php-fpm' in ansible_facts.packages"
   notify: reload php-fpm
+
+- name: "php | Kopiere Template für PHP-FPM systemd socket"
+  copy:
+    src: systemd/php-fpm@.socket
+    dest: /etc/systemd/system/php-fpm@.socket
+  notify:
+    - stop php-fpm-socket
+    - stop php-fpm-service
+    - start php-fpm-socket
+
+- name: "php | Kopiere Template für PHP-FPM systemd service"
+  template:
+    src: systemd/php-fpm@.service.j2
+    dest: /etc/systemd/system/php-fpm@.service
+  notify:
+    - stop php-fpm-socket
+    - stop php-fpm-service
+    - start php-fpm-socket

templates/systemd/php-fpm@.service.j2

@@ -0,0 +1,43 @@
+# {{ ansible_managed }}
+#
+# This service can be enabled for Wordpress site.
+# It uses a single php-fpm configuration file.
+# User-specific settings can be overridden via environment variables (see "FPM_SOCKET_PATH" below).
+
+[Unit]
+Description=The PHP FastCGI Process Manager for %I
+Documentation=man:php-fpm{{ php_version.stdout }}(8)
+After=network.target
+Requires=php-fpm@%i.socket
+
+[Service]
+User=%i
+Group=%i
+Type=notify
+Environment="FPM_SOCKETS=/run/php/php-fpm-%i.sock=3"
+Environment="FPM_ERROR_LOG={{ php_fpm_log_dir }}/%i.log"
+# this variable is used in the pool configuration file
+Environment="FPM_SOCKET_PATH=/run/php/php-fpm-%i.sock"
+ExecStart=/usr/sbin/php-fpm{{ php_version.stdout }} --nodaemonize --fpm-config /etc/php/{{ php_version.stdout }}/fpm/pool.d/%i.cfg
+ExecReload=/bin/kill -USR2 $MAINPID
+KillMode=process
+Restart=on-failure
+RestartSec=30s
+
+# Hardening
+# https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in
+PrivateDevices=true
+PrivateTmp=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RestrictRealtime=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=true
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+[Install]
+WantedBy=multi-user.target