Revert "Merge pull request #63156 from Izorkin/phpfpm-rootless"

This reverts commit b5478fd1a2ef442a54c36031bf3a27a96b5ea31c, reversing
changes made to dbb00bfcbfb291e79d4d2d512041656e6bcfcd9a.

2 files changed, 146 insertions, 97 deletions

diff --git a/nixos/modules/services/web-servers/phpfpm/default.nix b/nixos/modules/services/web-servers/phpfpm/default.nix
index e424080ab1f..ffafbc5e92f 100644
--- a/nixos/modules/services/web-servers/phpfpm/default.nix
+++ b/nixos/modules/services/web-servers/phpfpm/default.nix
@@ -4,26 +4,37 @@ with lib;
 
 let
   cfg = config.services.phpfpm;
-  enabled = cfg.pools != {};
+  enabled = cfg.poolConfigs != {} || cfg.pools != {};
 
-  poolConfigs = (mapAttrs mapPool cfg.pools);
+  stateDir = "/run/phpfpm";
+
+  poolConfigs =
+    (mapAttrs mapPoolConfig cfg.poolConfigs) //
+    (mapAttrs mapPool cfg.pools);
+
+  mapPoolConfig = n: p: {
+    phpPackage = cfg.phpPackage;
+    phpOptions = cfg.phpOptions;
+    config = p;
+  };
 
   mapPool = n: p: {
     phpPackage = p.phpPackage;
     phpOptions = p.phpOptions;
-    userPool = p.user;
-    groupPool = p.group;
+    config = ''
+      listen = ${p.listen}
+      ${p.extraConfig}
+    '';
   };
 
   fpmCfgFile = pool: conf: pkgs.writeText "phpfpm-${pool}.conf" ''
     [global]
     error_log = syslog
     daemonize = no
-    ${cfg.globalExtraConfig}
+    ${cfg.extraConfig}
 
     [${pool}]
-    listen = /run/phpfpm-${pool}/${cfg.pools.${pool}.socketName}.sock
-    ${cfg.pools.${pool}.extraConfig}
+    ${conf}
   '';
 
   phpIni = pool: pkgs.runCommand "php.ini" {
@@ -38,100 +49,87 @@ let
   '';
 
 in {
+
   options = {
     services.phpfpm = {
-      globalExtraConfig = mkOption {
+      extraConfig = mkOption {
         type = types.lines;
         default = "";
         description = ''
-          Global extra configuration that should be put in the global section of
+          Extra configuration that should be put in the global section of
           the PHP-FPM configuration file. Do not specify the options
           <literal>error_log</literal> or
-          <literal>daemonize</literal> here, since they are generated by NixOS.
+          <literal>daemonize</literal> here, since they are generated by
+          NixOS.
         '';
       };
 
-      pools = mkOption {
-        default = {};
-        type = types.attrsOf (types.submodule {
-          options = {
-            socketName = mkOption {
-              type = types.str;
-              example = "php-fpm";
-              description = ''
-                The address on which to accept FastCGI requests.
-              '';
-            };
-
-            phpPackage = mkOption {
-              type = types.package;
-              default = fpmCfg.phpPackage;
-              defaultText = "config.services.phpfpm.phpPackage";
-              description = ''
-                The PHP package to use for running this PHP-FPM pool.
-              '';
-            };
-
-            phpOptions = mkOption {
-              type = types.lines;
-              default = fpmCfg.phpOptions;
-              defaultText = "config.services.phpfpm.phpOptions";
-              description = ''
-                "Options appended to the PHP configuration file <filename>php.ini</filename> used for this PHP-FPM pool."
-              '';
-            };
-
-            user = mkOption {
-              type = types.string;
-              default = "phpfpm";
-              description = "User account under which phpfpm runs.";
-            };
-
-            group = mkOption {
-              type = types.string;
-              default = "phpfpm";
-              description = "Group account under which phpfpm runs.";
-            };
-
-            extraConfig = mkOption {
-              type = types.lines;
-              example = ''
-                pm = dynamic
-                pm.max_children = 75
-                pm.start_servers = 10
-                pm.min_spare_servers = 5
-                pm.max_spare_servers = 20
-                pm.max_requests = 500
-              '';
-
-              description = ''
-                Extra lines that go into the pool configuration.
-                See the documentation on <literal>php-fpm.conf</literal> for
-                details on configuration directives.
-              '';
-            };
-          };
-        });
+      phpPackage = mkOption {
+        type = types.package;
+        default = pkgs.php;
+        defaultText = "pkgs.php";
+        description = ''
+          The PHP package to use for running the PHP-FPM service.
+        '';
+      };
 
+      phpOptions = mkOption {
+        type = types.lines;
+        default = "";
+        example =
+          ''
+            date.timezone = "CET"
+          '';
+        description =
+          "Options appended to the PHP configuration file <filename>php.ini</filename>.";
+      };
+
+      poolConfigs = mkOption {
+        default = {};
+        type = types.attrsOf types.lines;
         example = literalExample ''
-          {
-            mypool = {
-              socketName = "example";
-              phpPackage = pkgs.php;
-              user = "phpfpm";
-              group = "phpfpm";
-              extraConfig = '''
-                pm = dynamic
-                pm.max_children = 75
-                pm.start_servers = 10
-                pm.min_spare_servers = 5
-                pm.max_spare_servers = 20
-                pm.max_requests = 500
-              ''';
-            }
+          { mypool = '''
+              listen = /run/phpfpm/mypool
+              user = nobody
+              pm = dynamic
+              pm.max_children = 75
+              pm.start_servers = 10
+              pm.min_spare_servers = 5
+              pm.max_spare_servers = 20
+              pm.max_requests = 500
+            ''';
           }
         '';
         description = ''
+          A mapping between PHP-FPM pool names and their configurations.
+          See the documentation on <literal>php-fpm.conf</literal> for
+          details on configuration directives. If no pools are defined,
+          the phpfpm service is disabled.
+        '';
+      };
+
+      pools = mkOption {
+        type = types.attrsOf (types.submodule (import ./pool-options.nix {
+          inherit lib config;
+        }));
+        default = {};
+        example = literalExample ''
+         {
+           mypool = {
+             listen = "/path/to/unix/socket";
+             phpPackage = pkgs.php;
+             extraConfig = '''
+               user = nobody
+               pm = dynamic
+               pm.max_children = 75
+               pm.start_servers = 10
+               pm.min_spare_servers = 5
+               pm.max_spare_servers = 20
+               pm.max_requests = 500
+             ''';
+           }
+         }'';
+        description = ''
           PHP-FPM pools. If no pools or poolConfigs are defined, the PHP-FPM
           service is disabled.
         '';
@@ -156,6 +154,9 @@ in {
         after = [ "network.target" ];
         wantedBy = [ "phpfpm.target" ];
         partOf = [ "phpfpm.target" ];
+        preStart = ''
+          mkdir -p ${stateDir}
+        '';
         serviceConfig = let
           cfgFile = fpmCfgFile pool poolConfig.config;
           iniFile = phpIni poolConfig;
@@ -165,19 +166,10 @@ in {
           ProtectSystem = "full";
           ProtectHome = true;
           # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work
-          RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
+          RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
           Type = "notify";
-          ExecStart = "${poolConfig.phpPackage}/bin/php-fpm -y '${cfgFile}' -c '${iniFile}'";
+          ExecStart = "${poolConfig.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${iniFile}";
           ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
-          # User and group
-          User = "${poolConfig.userPool}";
-          Group = "${poolConfig.groupPool}";
-          # Runtime directory and mode
-          RuntimeDirectory = "phpfpm-${pool}";
-          RuntimeDirectoryMode = "0750";
-          # Capabilities
-          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_CHOWN" "CAP_SYS_RESOURCE" ];
-          CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_CHOWN" "CAP_SYS_RESOURCE" ];
         };
       }
    );
diff --git a/nixos/modules/services/web-servers/phpfpm/pool-options.nix b/nixos/modules/services/web-servers/phpfpm/pool-options.nix
new file mode 100644
index 00000000000..d9ad7eff71f
--- /dev/null
+++ b/nixos/modules/services/web-servers/phpfpm/pool-options.nix
@@ -0,0 +1,57 @@
+{ lib, config }:
+
+let
+  fpmCfg = config.services.phpfpm;
+in
+
+with lib; {
+
+  options = {
+
+    listen = mkOption {
+      type = types.str;
+      example = "/path/to/unix/socket";
+      description = ''
+        The address on which to accept FastCGI requests.
+      '';
+    };
+
+    phpPackage = mkOption {
+      type = types.package;
+      default = fpmCfg.phpPackage;
+      defaultText = "config.services.phpfpm.phpPackage";
+      description = ''
+        The PHP package to use for running this PHP-FPM pool.
+      '';
+    };
+
+    phpOptions = mkOption {
+      type = types.lines;
+      default = fpmCfg.phpOptions;
+      defaultText = "config.services.phpfpm.phpOptions";
+      description = ''
+        "Options appended to the PHP configuration file <filename>php.ini</filename> used for this PHP-FPM pool."
+      '';
+    };
+
+    extraConfig = mkOption {
+      type = types.lines;
+      example = ''
+        user = nobody
+        pm = dynamic
+        pm.max_children = 75
+        pm.start_servers = 10
+        pm.min_spare_servers = 5
+        pm.max_spare_servers = 20
+        pm.max_requests = 500
+      '';
+
+      description = ''
+        Extra lines that go into the pool configuration.
+        See the documentation on <literal>php-fpm.conf</literal> for
+        details on configuration directives.
+      '';
+    };
+  };
+}
+