Merge pull request #63156 from Izorkin/phpfpm-rootless

phpfpm: do not run anything as root
2019-06-27 19:13:53 +02:00
parent dbb00bfcbf eee87b460e
commit b5478fd1a2
12 changed files with 231 additions and 242 deletions
--- a/nixos/modules/services/web-apps/tt-rss.nix
+++ b/nixos/modules/services/web-apps/tt-rss.nix
@@ -512,12 +512,14 @@ let

    services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
      "${poolName}" = {
-        listen = "/var/run/phpfpm/${poolName}.sock";
+        socketName = "${poolName}";
+        phpPackage = pkgs.php;
+        user = "${config.services.nginx.user}";
+        group = "${config.services.nginx.group}";
        extraConfig = ''
-          listen.owner = nginx
-          listen.group = nginx
+          listen.owner = ${config.services.nginx.user}
+          listen.group = ${config.services.nginx.group}
          listen.mode = 0600
-          user = ${cfg.user}
          pm = dynamic
          pm.max_children = 75
          pm.start_servers = 10
@@ -543,7 +545,7 @@ let
          locations."~ \.php$" = {
            extraConfig = ''
              fastcgi_split_path_info ^(.+\.php)(/.+)$;
-              fastcgi_pass unix:${config.services.phpfpm.pools.${cfg.pool}.listen};
+              fastcgi_pass unix:/run/phpfpm-${poolName}/${poolName}.sock;
              fastcgi_index index.php;
            '';
          };