ansible-role-php/templates/systemd/php-fpm@.service

59 lines
1.6 KiB
Desktop File

# {{ ansible_managed }}
#
# This service can be enabled for user.
# It uses a single php-fpm configuration file.
# User-specific settings can be overridden via environment variables (see "FPM_SOCKET_PATH" below).
[Unit]
Description=The PHP FastCGI Process Manager for %I
Documentation=man:php-fpm{{ php_version.stdout }}(8)
After=network.target
Requires=php-fpm@%i.socket
[Service]
User=%i
Group=%i
Type=notify
Environment="FPM_SOCKETS=/run/php/php-fpm-%i.sock=3"
Environment="FPM_ERROR_LOG={{ php_fpm_log_dir }}/%i.log"
# this variable is used in the pool configuration file
Environment="FPM_SOCKET_PATH=/run/php/php-fpm-%i.sock"
ExecStart=/usr/sbin/php-fpm{{ php_version.stdout }} --nodaemonize --fpm-config /etc/php/{{ php_version.stdout }}/fpm/pool.d/%i.cfg
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=process
Restart=on-failure
RestartSec=30s
# Hardening
# https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
RestrictRealtime=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
ReadWritePaths=-/var/log/
ReadWritePaths=-{{ php_fpm_log_dir }}
ReadWritePaths=-/var/run/
ReadWritePaths=-/run/
InaccessiblePaths=-/root/
RuntimeDirectory=php
RuntimeDirectoryPreserve=yes
# Resources
CPUQuota=100%
MemoryHigh=25%
MemoryMax=35%
[Install]
WantedBy=multi-user.target