From 43477406629586b783614867899bda0b7dfd7bcf Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Thu, 1 Aug 2019 20:46:49 +0200
Subject: [PATCH] php-fpm: socket activation, instance units, journal, default
 params

---
 php-fpm/defaults/main.yml             |  8 +++-
 php-fpm/handlers/main.yml             | 10 ++++-
 php-fpm/tasks/main.yml                | 54 ++++++++++++++++++++++++---
 php-fpm/templates/php-fpm.conf.j2     |  9 +++--
 php-fpm/templates/php-fpm@.service.j2 | 30 +++++++++++++++
 php-fpm/templates/php-fpm@.socket.j2  | 11 ++++++
 php-fpm/templates/pool.conf.j2        | 20 +++++-----
 7 files changed, 120 insertions(+), 22 deletions(-)
 create mode 100644 php-fpm/templates/php-fpm@.service.j2
 create mode 100644 php-fpm/templates/php-fpm@.socket.j2

diff --git a/php-fpm/defaults/main.yml b/php-fpm/defaults/main.yml
index c0a701c..f477541 100644
--- a/php-fpm/defaults/main.yml
+++ b/php-fpm/defaults/main.yml
@@ -1,4 +1,10 @@
 ---
-# file: php-fpm/defaults/mail.yml
 
 fpm_pools: []
+
+fpm_default_params:
+  intl.default_locale: en_US
+  date.timezone: "Europe/Berlin"
+fpm_default_flags:
+  session.cookie_secure: true
+  session.cookie_httponly: true
diff --git a/php-fpm/handlers/main.yml b/php-fpm/handlers/main.yml
index 27ebd57..b580a0a 100644
--- a/php-fpm/handlers/main.yml
+++ b/php-fpm/handlers/main.yml
@@ -1,5 +1,11 @@
 ---
-# file: php-fpm/handlers/main.yml
 
 - name: restart php-fpm
-  service: name="php{{php_version}}-fpm.service" state=restarted
+  systemd:
+    name: "php-fpm@{{ item.name }}"
+    state: restarted
+  with_items: "{{ fpm_pools|default([]) }}"
+
+- name: reload systemd service files
+  systemd:
+    daemon_reload: true
diff --git a/php-fpm/tasks/main.yml b/php-fpm/tasks/main.yml
index 03e29a9..3dc8edc 100644
--- a/php-fpm/tasks/main.yml
+++ b/php-fpm/tasks/main.yml
@@ -1,11 +1,10 @@
 ---
-# file: php-fpm/tasks/main.yml
 
-- include_vars: "{{debian_version}}.yml"
+- include_vars: "{{ debian_version }}.yml"
 
 - name: ensure php-fpm is installed
   apt:
-    name: "{{php_fpm_pkgs}}"
+    name: "{{ php_fpm_pkgs }}"
     state: present
   notify:
     - restart php-fpm
@@ -29,14 +28,59 @@
 - name: ensure we have all the pools we want
   template:
     src: pool.conf.j2
-    dest: "/etc/php/{{php_version}}/fpm/pool.d/{{item.name}}.conf"
+    dest: "/etc/php/{{ php_version }}/fpm/pool.d/{{ item.name }}.conf"
     owner: root
     group: root
     mode: '0644'
   when: debian_version != "jessie"
-  with_items: "{{fpm_pools|default([])}}"
+  with_items: "{{ fpm_pools|default([]) }}"
   notify:
     - restart php-fpm
   tags:
     - php-fpm
     - webservices
+
+- name: ensure systemd can start php instances
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/systemd/system/{{ item }}"
+    owner: root
+    group: root
+    mode: '0644'
+  with_items:
+    - php-fpm@.socket
+    - php-fpm@.service
+  notify:
+    - reload systemd service files
+    - restart php-fpm
+  tags:
+    - php-fpm
+    - webservices
+
+- name: get remote active php pools
+  shell: "systemctl list-units --state=loaded | grep uwsgi@ | sed -E 's/.*uwsgi@(.*)\.service.*/\1/'"
+  changed_when: false
+  register: running_pools
+  tags:
+    - php-fpm
+    - webservices
+
+- name: deactivate inactive pools via systemd
+  systemd:
+    name: "php-fpm@{{ item }}"
+    enabled: false
+    state: stopped
+  with_items: "{{ running_pools.stdout_lines|difference(fpm_pools|map(attribute=name))|list }}"
+  tags:
+    - php-fpm
+    - webservices
+
+- name: ensure active pools are enabled in systemd
+  systemd:
+    name: "php-fpm@{{ item.name }}"
+    enabled: true
+    state: started
+  with_items: "{{ fpm_pools|default([]) }}"
+  tags:
+    - php-fpm
+    - webservices
diff --git a/php-fpm/templates/php-fpm.conf.j2 b/php-fpm/templates/php-fpm.conf.j2
index 3e626c7..6931a1c 100644
--- a/php-fpm/templates/php-fpm.conf.j2
+++ b/php-fpm/templates/php-fpm.conf.j2
@@ -21,7 +21,8 @@ pid = /run/php/php{{ php_version }}-fpm.pid
 ; into a local file.
 ; Note: the default prefix is /var
 ; Default Value: log/php-fpm.log
-error_log = /var/log/php{{ php_version }}-fpm.log
+;error_log = /var/log/php{{ php_version }}-fpm.log
+error_log = syslog
 
 ; syslog_facility is used to specify what type of program is logging the
 ; message. This lets syslogd specify that messages from different facilities
@@ -96,7 +97,7 @@ error_log = /var/log/php{{ php_version }}-fpm.log
 
 ; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
 ; Default Value: yes
-;daemonize = yes
+daemonize = no
 
 ; Set open file descriptor rlimit for the master process.
 ; Default Value: system defined value
@@ -140,4 +141,6 @@ error_log = /var/log/php{{ php_version }}-fpm.log
 ; Relative path can also be used. They will be prefixed by:
 ;  - the global prefix if it's been set (-p argument)
 ;  - /usr otherwise
-include=/etc/php/7.3/fpm/pool.d/*.conf
+
+; We do it the other way round.
+;include=/etc/php/{{ php_version }}/fpm/pool.d/*.conf
diff --git a/php-fpm/templates/php-fpm@.service.j2 b/php-fpm/templates/php-fpm@.service.j2
new file mode 100644
index 0000000..49bbef0
--- /dev/null
+++ b/php-fpm/templates/php-fpm@.service.j2
@@ -0,0 +1,30 @@
+[Unit]
+Description=PHP-FPM service for %i
+After=syslog.target network.target
+After=mysqld.service postfix.service
+Requires=php-fpm@.socket
+
+[Service]
+Type=notify
+
+PrivateTmp=true
+NoNewPrivileges=true
+;PrivateNetwork=true
+PrivateDevices=true
+
+ProtectHome=true
+ProtectSystem=full
+InaccessiblePaths=-/var/lib/mysql
+
+MemoryAccounting=yes
+CPUAccounting=yes
+IOAccounting=yes
+
+User=%i
+Group=%i
+Environment="FPM_SOCKETS=/run/php/%i-fpm.sock=3"
+ExecStart=/usr/bin/php-fpm --nodaemonize --fpm-config /etc/php/{{ php_version }}/fpm/pool.d/%i.conf
+ExecReload=/bin/kill -USR2 $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/php-fpm/templates/php-fpm@.socket.j2 b/php-fpm/templates/php-fpm@.socket.j2
new file mode 100644
index 0000000..c3ab1c3
--- /dev/null
+++ b/php-fpm/templates/php-fpm@.socket.j2
@@ -0,0 +1,11 @@
+[Unit]
+Description=PHP-FPM socket for %i
+
+[Socket]
+ListenStream=/run/php/%i-fpm.sock
+SocketMode=0660
+SocketUser=%i
+SocketGroup=www-data
+
+[Install] 
+WantedBy=sockets.target
diff --git a/php-fpm/templates/pool.conf.j2 b/php-fpm/templates/pool.conf.j2
index 2980888..bca291f 100644
--- a/php-fpm/templates/pool.conf.j2
+++ b/php-fpm/templates/pool.conf.j2
@@ -1,14 +1,16 @@
+include=/etc/php/{{ php_version }}/fpm/php-fpm.conf
+
 {% if item is not defined %}
-{% set item = {"name": fpm_pool, "user": fpm_user, "group": fpm_group, "socket_user": fpm_socket_user, "socket_group": fpm_socket_group, "params": fpm_params|default({})} %}
+{% set item = {"name": fpm_pool, "params": fpm_params|default({})} %}
 {% endif %}
 [{{item.name}}]
-user = {{item.user}}
-group = {{item.group}}
+user = {{item.name}}
+group = {{item.name}}
 
 listen = /run/php/{{item.name}}-fpm.sock
 
-listen.owner = {{item.socket_user}}
-listen.group = {{item.socket_group}}
+listen.owner = {{item.name}}
+listen.group = www-data
 
 pm = {{ item.pm|default('ondemand') }}
 {% if item.pm|default('ondemand') == 'static' %}
@@ -25,14 +27,10 @@ pm.process_idle_timeout = {{ item.pm_process_idle_timeout|default(15) }}s
 {% endif %}
 pm.max_requests = {{ item.pm_max_requests|default(500) }}
 
-{% if item.params is defined and item.params %}
-{% for key, value in item.params.items() %}
+{% for key, value in fpm_default_params|combine(item.params|default({})).items() %}
 php_admin_value[{{key}}] = {{value}}
 {% endfor %}
-{% endif %}
 
-{% if item.flags is defined and item.flags %}
-{% for key, value in item.flags.items() %}
+{% for key, value in fpm_default_flags|combine(item.flags|default({})).items() %}
 php_admin_flag[{{key}}] = {{'on' if value else 'off'}}
 {% endfor %}
-{% endif %}
-- 
GitLab