php-fpm: make use of home directory

Potentially breaking, these options are removed:
pool.user, pool.listen.owner, pool.listen.mode.

Since socket owner cannot be set now,
nginx needs to belong to the appropriate PHP-FPM group.

3 files changed, 52 insertions, 22 deletions

diff --git a/modules/apps/icingaweb2.nix b/modules/apps/icingaweb2.nix
index 852c546..fad0509 100644
--- a/modules/apps/icingaweb2.nix
+++ b/modules/apps/icingaweb2.nix
@@ -161,7 +161,6 @@ let
   ));
 
   defaultPool = {
-    listen.owner = config.nixsap.apps.nginx.user;
     pm.max_children = 10;
     pm.max_requests = 1000;
     pm.max_spare_servers = 5;
@@ -363,11 +362,13 @@ in {
 
   config = mkIf cfg.enable {
     nixsap.deployment.keyrings.root = keys;
+    users.users.${config.nixsap.apps.nginx.user}.extraGroups = [ cfg.user ];
     users.users.icingaweb2.extraGroups = mkIf localIcinga [ config.nixsap.apps.icinga2.commandGroup ];
 
     nixsap.apps.php-fpm.icingaweb2 = mkOverride 0 {
+      inherit (cfg) user;
       inherit (cfg.php-fpm) package;
-      pool = recursiveUpdate defaultPool (cfg.php-fpm.pool // { user = cfg.user ;});
+      pool = recursiveUpdate defaultPool cfg.php-fpm.pool;
     };
 
     nixsap.apps.nginx.conf.http.servers.icingaweb2 = ''
diff --git a/modules/apps/mediawiki/default.nix b/modules/apps/mediawiki/default.nix
index 2988f07..07dc6e9 100644
--- a/modules/apps/mediawiki/default.nix
+++ b/modules/apps/mediawiki/default.nix
@@ -14,11 +14,10 @@ let
     attrNames elem isAttrs isBool isList isString ;
 
   cfg = config.nixsap.apps.mediawiki;
-  user = config.nixsap.apps.mediawiki.user;
+  user = cfg.user;
   php = cfg.php-fpm.package;
 
   defaultPool = {
-    listen.owner = config.nixsap.apps.nginx.user;
     pm.max_children = 10;
     pm.max_requests = 1000;
     pm.max_spare_servers = 5;
@@ -163,7 +162,7 @@ let
     }
 
     chmod -Rc u=rwX,g=rX,o= '${cfg.localSettings.wgUploadDirectory}'
-    chown -Rc '${user}:${user}' '${cfg.localSettings.wgUploadDirectory}'
+    chown -Rc '${cfg.user}:${cfg.user}' '${cfg.localSettings.wgUploadDirectory}'
   '';
 
   nginx = ''
@@ -295,13 +294,13 @@ in {
   };
 
   config = mkIf cfg.enable {
-    nixsap.deployment.keyrings.${user} = keys;
-    users.users.${config.nixsap.apps.nginx.user}.extraGroups =
-      mkIf cfg.localSettings.wgEnableUploads [ user ];
+    nixsap.deployment.keyrings.${cfg.user} = keys;
+    users.users.${config.nixsap.apps.nginx.user}.extraGroups = [ cfg.user ];
 
     nixsap.apps.php-fpm.mediawiki = mkOverride 0 {
+      inherit (cfg) user;
       inherit (cfg.php-fpm) package;
-      pool = recursiveUpdate defaultPool (cfg.php-fpm.pool // { user = cfg.user ;});
+      pool = recursiveUpdate defaultPool cfg.php-fpm.pool;
     };
 
     nixsap.apps.nginx.conf.http.servers.mediawiki = nginx;
@@ -314,7 +313,7 @@ in {
       serviceConfig = {
         RemainAfterExit = true;
         Type = "oneshot";
-        User = config.nixsap.apps.php-fpm.mediawiki.pool.user;
+        User = cfg.user;
         ExecStart = "${mediawiki-db}/bin/mediawiki-db";
       };
     };
diff --git a/modules/apps/php-fpm.nix b/modules/apps/php-fpm.nix
index 6486975..ed90c1a 100644
--- a/modules/apps/php-fpm.nix
+++ b/modules/apps/php-fpm.nix
@@ -14,14 +14,14 @@ let
   explicit = filterAttrs (n: v: n != "_module" && v != null);
   concatNonEmpty = sep: list: concatStringsSep sep (filter (s: s != "") list);
 
-  attrs = opts: submodule { options = opts; };
   default = d: t: mkOption { type = t; default = d; };
+  readonly = d: t: mkOption { type = t; default = d; readOnly = true; };
   mandatory = t: mkOption { type = t; };
   optional = t: mkOption { type = nullOr t; default = null; };
 
   instances = explicit (config.nixsap.apps.php-fpm);
 
-  users = mapAttrsToList (_: v: v.pool.user) instances;
+  users = mapAttrsToList (_: v: v.user) instances;
 
   mkService = name: cfg:
     let
@@ -52,6 +52,7 @@ let
         ${concatNonEmpty "\n" (mapAttrsToList mkGlobal (explicit cfg.global))}
 
         [pool]
+        listen.mode = 0660
         ${concatNonEmpty "\n" (mapAttrsToList mkPool (explicit cfg.pool))}
       '';
       exec = "${cfg.package}/bin/php-fpm --fpm-config ${conf} "
@@ -63,9 +64,17 @@ let
         description = "PHP FastCGI Process Manager (${name})";
         after = [ "local-fs.target" ];
         wantedBy = [ "multi-user.target" ];
+        preStart = ''
+          mkdir -p -- '${cfg.home}' '${cfg.logDir}'
+          rm -f    -- '${cfg.pool.listen.socket}'
+          chown -Rc '${cfg.user}:${cfg.user}' -- '${cfg.home}'
+          chmod -Rc u=rwX,g=rX,o= -- '${cfg.home}'
+        '';
         serviceConfig = {
           ExecStart = exec;
+          PermissionsStartOnly = true;
           Restart = "always";
+          User = cfg.user;
         };
       };
     };
@@ -75,22 +84,47 @@ in {
   options.nixsap.apps.php-fpm = default {}
     (attrsOf (submodule( { config, name, ... }: {
       options = {
-        package = default pkgs.php package;
-        php-ini = optional path;
+        home = mkOption {
+          description = "Directory with logs and the socket";
+          type = path;
+          default = "/php-fpm/${name}";
+        };
+        logDir = mkOption {
+          description = "Directory with logs. This is convenient read-only option";
+          type = path;
+          readOnly = true;
+          default = "${config.home}/log";
+        };
+        user = mkOption {
+          description = "User to run as";
+          type = str;
+          default = "php-fpm-${name}";
+        };
+        package = mkOption {
+          description = "PHP package to use FPM from";
+          type = package;
+          default = pkgs.php;
+        };
+        php-ini = mkOption {
+          description = "php.ini file to pass to php-fpm";
+          type = nullOr path;
+          default = null;
+        };
+
 
         global = {
           emergency_restart_interval = optional int;
           emergency_restart_threshold = optional int;
-          error_log = default "/var/log/php-fpm-${name}.log" path;
+          error_log = readonly "${config.logDir}/error.log" path;
           log_level = optional (enum ["alert" "error" "warning" "notice" "debug"]);
           process_control_timeout = optional int;
           rlimit_core = optional int;
           rlimit_files = optional int;
 
-          process = optional (attrs {
+          process = {
             max      = optional int;
             priority = optional int;
-          });
+          };
         };
 
         pool = {
@@ -105,14 +139,10 @@ in {
           request_terminate_timeout = optional int;
           rlimit_core               = optional int;
           rlimit_files              = optional int;
-          user                      = default "php-fpm-${name}" str;
           listen = {
             acl_groups = optional str;
             backlog    = optional int;
-            group      = optional str;
-            mode       = optional str;
-            owner      = default config.pool.user str;
-            socket     = default "/run/php-fpm-${name}.sock" path;
+            socket     = readonly "${config.home}/sock" path;
           };
           pm = {
             max_children      = mandatory int;