59 lines
1.7 KiB
Desktop File
59 lines
1.7 KiB
Desktop File
# {{ ansible_managed }}
|
|
#
|
|
# This service can be enabled for each user.
|
|
# It uses a single php-fpm configuration file.
|
|
# User-specific settings can be overridden via environment variables (see "FPM_SOCKET_PATH" below).
|
|
|
|
[Unit]
|
|
Description=The PHP FastCGI Process Manager for %I
|
|
Documentation=man:php-fpm{{ php_version.stdout }}(8)
|
|
After=network.target
|
|
Requires=php-fpm@%i.socket
|
|
|
|
[Service]
|
|
User={{ php_fpm_user | default('%i') }}
|
|
Group={{ php_fpm_group | default('%i') }}
|
|
Type=notify
|
|
Environment="FPM_SOCKETS=/run/php/php-fpm-%i.sock=3"
|
|
Environment="FPM_ERROR_LOG={{ php_fpm_log_dir }}/{{ php_fpm_log_file | default('%i.log') }}"
|
|
# this variable is used in the pool configuration file
|
|
Environment="FPM_SOCKET_PATH=/run/php/php-fpm-%i.sock"
|
|
ExecStart=/usr/sbin/php-fpm{{ php_version.stdout }} --nodaemonize --fpm-config {{ php_fpm_pool_config_file }}
|
|
ExecReload=/bin/kill -USR2 $MAINPID
|
|
KillMode=process
|
|
Restart=on-failure
|
|
RestartSec=30s
|
|
|
|
# Hardening
|
|
# https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in
|
|
LockPersonality=true
|
|
NoNewPrivileges=true
|
|
PrivateDevices=true
|
|
PrivateTmp=true
|
|
ProtectClock=true
|
|
ProtectControlGroups=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
ProtectSystem=strict
|
|
RestrictRealtime=true
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
|
RestrictNamespaces=true
|
|
SystemCallArchitectures=native
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallFilter=@system-service
|
|
|
|
ReadWritePaths=-/var/log/
|
|
ReadWritePaths=-{{ php_fpm_log_dir }}/
|
|
ReadWritePaths=-/var/run/
|
|
ReadWritePaths=-/run/
|
|
InaccessiblePaths=-/root/
|
|
RuntimeDirectory=php
|
|
RuntimeDirectoryPreserve=yes
|
|
|
|
# Resources
|
|
CPUQuota={{ php_fpm_cpu_quota }}
|
|
MemoryHigh={{ php_fpm_memory_high }}
|
|
MemoryMax={{ php_fpm_memory_max }}
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|