{ config, lib, pkgs, ... }: with lib; let cfg = config.services.phpfpm; enabled = cfg.pools != {}; poolConfigs = (mapAttrs mapPool cfg.pools); mapPool = n: p: { phpPackage = p.phpPackage; phpOptions = p.phpOptions; userPool = p.user; groupPool = p.group; }; fpmCfgFile = pool: conf: pkgs.writeText "phpfpm-${pool}.conf" '' [global] error_log = syslog daemonize = no ${cfg.globalExtraConfig} [${pool}] listen = /run/phpfpm-${pool}/${cfg.pools.${pool}.socketName}.sock ${cfg.pools.${pool}.extraConfig} ''; phpIni = pool: pkgs.runCommand "php.ini" { inherit (pool) phpPackage phpOptions; preferLocalBuild = true; nixDefaults = '' sendmail_path = "/run/wrappers/bin/sendmail -t -i" ''; passAsFile = [ "nixDefaults" "phpOptions" ]; } '' cat $phpPackage/etc/php.ini $nixDefaultsPath $phpOptionsPath > $out ''; in { options = { services.phpfpm = { globalExtraConfig = mkOption { type = types.lines; default = ""; description = '' Global extra configuration that should be put in the global section of the PHP-FPM configuration file. Do not specify the options error_log or daemonize here, since they are generated by NixOS. ''; }; pools = mkOption { default = {}; type = types.attrsOf (types.submodule { options = { socketName = mkOption { type = types.str; example = "php-fpm"; description = '' The address on which to accept FastCGI requests. ''; }; phpPackage = mkOption { type = types.package; default = fpmCfg.phpPackage; defaultText = "config.services.phpfpm.phpPackage"; description = '' The PHP package to use for running this PHP-FPM pool. ''; }; phpOptions = mkOption { type = types.lines; default = fpmCfg.phpOptions; defaultText = "config.services.phpfpm.phpOptions"; description = '' "Options appended to the PHP configuration file php.ini used for this PHP-FPM pool." ''; }; user = mkOption { type = types.string; default = "phpfpm"; description = "User account under which phpfpm runs."; }; group = mkOption { type = types.string; default = "phpfpm"; description = "Group account under which phpfpm runs."; }; extraConfig = mkOption { type = types.lines; example = '' pm = dynamic pm.max_children = 75 pm.start_servers = 10 pm.min_spare_servers = 5 pm.max_spare_servers = 20 pm.max_requests = 500 ''; description = '' Extra lines that go into the pool configuration. See the documentation on php-fpm.conf for details on configuration directives. ''; }; }; }); example = literalExample '' { mypool = { socketName = "example"; phpPackage = pkgs.php; user = "phpfpm"; group = "phpfpm"; extraConfig = ''' pm = dynamic pm.max_children = 75 pm.start_servers = 10 pm.min_spare_servers = 5 pm.max_spare_servers = 20 pm.max_requests = 500 '''; } } ''; description = '' PHP-FPM pools. If no pools or poolConfigs are defined, the PHP-FPM service is disabled. ''; }; }; }; config = mkIf enabled { systemd.slices.phpfpm = { description = "PHP FastCGI Process manager pools slice"; }; systemd.targets.phpfpm = { description = "PHP FastCGI Process manager pools target"; wantedBy = [ "multi-user.target" ]; }; systemd.services = flip mapAttrs' poolConfigs (pool: poolConfig: nameValuePair "phpfpm-${pool}" { description = "PHP FastCGI Process Manager service for pool ${pool}"; after = [ "network.target" ]; wantedBy = [ "phpfpm.target" ]; partOf = [ "phpfpm.target" ]; serviceConfig = let cfgFile = fpmCfgFile pool poolConfig.config; iniFile = phpIni poolConfig; in { Slice = "phpfpm.slice"; PrivateDevices = true; ProtectSystem = "full"; ProtectHome = true; # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ]; Type = "notify"; ExecStart = "${poolConfig.phpPackage}/bin/php-fpm -y '${cfgFile}' -c '${iniFile}'"; ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID"; # User and group User = "${poolConfig.userPool}"; Group = "${poolConfig.groupPool}"; # Runtime directory and mode RuntimeDirectory = "phpfpm-${pool}"; RuntimeDirectoryMode = "0750"; # Capabilities AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_CHOWN" "CAP_SYS_RESOURCE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_CHOWN" "CAP_SYS_RESOURCE" ]; }; } ); }; }