php: Erstelle allgemeine PHP-FPM-Konfiguration

This commit is contained in:
phil 2022-08-18 08:40:39 +02:00
parent cf112b7cc1
commit fc7c14eda5
5 changed files with 88 additions and 1 deletions

View file

@ -1 +1,2 @@
---
php_fpm_log_dir: /var/log/phpfpm

View file

@ -0,0 +1,11 @@
[Unit]
After=network-online.target
[Socket]
SocketUser=%i
SocketGroup=%i
SocketMode=0660
ListenStream=/run/php/php-fpm-%i.sock
[Install]
WantedBy=sockets.target

View file

@ -8,3 +8,12 @@
service:
name: "php{{ php_version.stdout }}-fpm"
state: reloaded
- name: stop php-fpm-socket
command: systemctl stop php-fpm@*.socket
- name: stop php-fpm-service
command: systemctl stop php-fpm@*.service
- name: start php-fpm-socket
command: systemctl start php-fpm@*.socket --all

View file

@ -21,6 +21,11 @@
dest: "/etc/php/{{ php_version.stdout }}/cli/conf.d/30-sao.ini"
state: link
- name: "php | Erstelle Log-Verzeichnis"
file:
path: "{{ php_fpm_log_dir }}"
state: directory
- name: "php | Verlinke FPM-Konfiguration"
file:
src: "/etc/php/{{ php_version.stdout }}/mods-available/sao-fpm.ini"
@ -28,3 +33,21 @@
state: link
when: "'php-fpm' in ansible_facts.packages"
notify: reload php-fpm
- name: "php | Kopiere Template für PHP-FPM systemd socket"
copy:
src: systemd/php-fpm@.socket
dest: /etc/systemd/system/php-fpm@.socket
notify:
- stop php-fpm-socket
- stop php-fpm-service
- start php-fpm-socket
- name: "php | Kopiere Template für PHP-FPM systemd service"
template:
src: systemd/php-fpm@.service.j2
dest: /etc/systemd/system/php-fpm@.service
notify:
- stop php-fpm-socket
- stop php-fpm-service
- start php-fpm-socket

View file

@ -0,0 +1,43 @@
# {{ ansible_managed }}
#
# This service can be enabled for Wordpress site.
# It uses a single php-fpm configuration file.
# User-specific settings can be overridden via environment variables (see "FPM_SOCKET_PATH" below).
[Unit]
Description=The PHP FastCGI Process Manager for %I
Documentation=man:php-fpm{{ php_version.stdout }}(8)
After=network.target
Requires=php-fpm@%i.socket
[Service]
User=%i
Group=%i
Type=notify
Environment="FPM_SOCKETS=/run/php/php-fpm-%i.sock=3"
Environment="FPM_ERROR_LOG={{ php_fpm_log_dir }}/%i.log"
# this variable is used in the pool configuration file
Environment="FPM_SOCKET_PATH=/run/php/php-fpm-%i.sock"
ExecStart=/usr/sbin/php-fpm{{ php_version.stdout }} --nodaemonize --fpm-config /etc/php/{{ php_version.stdout }}/fpm/pool.d/%i.cfg
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=process
Restart=on-failure
RestartSec=30s
# Hardening
# https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in
PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictRealtime=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
[Install]
WantedBy=multi-user.target