phil
955ba86525
To strict options prevent different services from running. It's better to test these options and include them in specific roles.
50 lines
1.5 KiB
Desktop File
50 lines
1.5 KiB
Desktop File
# {{ ansible_managed }}
|
|
#
|
|
# This service can be enabled for each user.
|
|
# It uses a single php-fpm configuration file.
|
|
# User-specific settings can be overridden via environment variables (see "FPM_SOCKET_PATH" below).
|
|
|
|
[Unit]
|
|
Description=The PHP FastCGI Process Manager for %I
|
|
Documentation=man:php-fpm{{ php_version.stdout }}(8)
|
|
After=network.target
|
|
Requires=php-fpm@%i.socket
|
|
|
|
[Service]
|
|
User={{ php_fpm_user | default('%i') }}
|
|
Group={{ php_fpm_group | default('%i') }}
|
|
Type=notify
|
|
Environment="FPM_SOCKETS=/run/php/php-fpm-%i.sock=3"
|
|
Environment="FPM_ERROR_LOG={{ php_fpm_log_dir }}/{{ php_fpm_log_file | default('%i.log') }}"
|
|
# this variable is used in the pool configuration file
|
|
Environment="FPM_SOCKET_PATH=/run/php/php-fpm-%i.sock"
|
|
ExecStart=/usr/sbin/php-fpm{{ php_version.stdout }} --nodaemonize --fpm-config {{ php_fpm_pool_config_file }}
|
|
ExecReload=/bin/kill -USR2 $MAINPID
|
|
KillMode=process
|
|
Restart=on-failure
|
|
RestartSec=30s
|
|
|
|
# Hardening
|
|
# https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in
|
|
PrivateDevices=true
|
|
PrivateTmp=true
|
|
ProtectClock=true
|
|
ProtectControlGroups=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
ProtectSystem=full
|
|
RestrictRealtime=true
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
|
RestrictNamespaces=true
|
|
SystemCallArchitectures=native
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallFilter=@system-service
|
|
|
|
# Resources
|
|
CPUQuota={{ php_fpm_cpu_quota }}
|
|
MemoryHigh={{ php_fpm_memory_high }}
|
|
MemoryMax={{ php_fpm_memory_max }}
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|