Merge pull request #63156 from Izorkin/phpfpm-rootless

phpfpm: do not run anything as root

nixos/modules/rename.nix

@@ -241,6 +241,12 @@ with lib;
     # binfmt
     (mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ])
 
+    # PHP-FPM
+    (mkRemovedOptionModule [ "services" "phpfpm" "poolConfigs" ] "Use services.phpfpm.pools instead.")
+    (mkRemovedOptionModule [ "services" "phpfpm" "phpPackage" ] "Use services.phpfpm.pools.<name>.phpPackage instead.")
+    (mkRemovedOptionModule [ "services" "phpfpm" "phpOptions" ] "Use services.phpfpm.pools.<name>.phpOptions instead.")
+    (mkRenamedOptionModule [ "services" "phpfpm" "extraConfig" ] [ "services" "phpfpm" "globalExtraConfig" ])
+
   ] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter"
                    "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter"
                    "snmpExporter" "unifiExporter" "varnishExporter" ]

nixos/modules/services/mail/roundcube.nix

@@ -105,7 +105,7 @@ in
             extraConfig = ''
               location ~* \.php$ {
                 fastcgi_split_path_info ^(.+\.php)(/.+)$;
-                fastcgi_pass unix:/run/phpfpm/roundcube;
+                fastcgi_pass unix:/run/phpfpm-roundcube/roundcube.sock;
                 include ${pkgs.nginx}/conf/fastcgi_params;
                 include ${pkgs.nginx}/conf/fastcgi.conf;
               }
@@ -119,24 +119,28 @@ in
       enable = true;
     };
 
-    services.phpfpm.poolConfigs.roundcube = ''
-      listen = /run/phpfpm/roundcube
-      listen.owner = nginx
-      listen.group = nginx
-      listen.mode = 0660
-      user = nginx
-      pm = dynamic
-      pm.max_children = 75
-      pm.start_servers = 2
-      pm.min_spare_servers = 1
-      pm.max_spare_servers = 20
-      pm.max_requests = 500
-      php_admin_value[error_log] = 'stderr'
-      php_admin_flag[log_errors] = on
-      php_admin_value[post_max_size] = 25M
-      php_admin_value[upload_max_filesize] = 25M
-      catch_workers_output = yes
-    '';
+    services.phpfpm.pools.roundcube = {
+      socketName = "roundcube";
+      phpPackage = pkgs.php;
+      user = "${config.services.nginx.user}";
+      group = "${config.services.nginx.group}";
+      extraConfig = ''
+        listen.owner = ${config.services.nginx.user}
+        listen.group = ${config.services.nginx.group}
+        listen.mode = 0600
+        pm = dynamic
+        pm.max_children = 75
+        pm.start_servers = 2
+        pm.min_spare_servers = 1
+        pm.max_spare_servers = 20
+        pm.max_requests = 500
+        php_admin_value[error_log] = 'stderr'
+        php_admin_flag[log_errors] = on
+        php_admin_value[post_max_size] = 25M
+        php_admin_value[upload_max_filesize] = 25M
+        catch_workers_output = yes
+      '';
+    };
     systemd.services.phpfpm-roundcube.after = [ "roundcube-setup.service" ];
 
     systemd.services.roundcube-setup = let

nixos/modules/services/misc/zoneminder.nix

@@ -19,7 +19,7 @@ let
 
   useCustomDir = cfg.storageDir != null;
 
-  socket = "/run/phpfpm/${dirName}.sock";
+  socket = "/run/phpfpm-zoneminder/zoneminder.sock";
 
   zms = "/cgi-bin/zms";
 
@@ -284,17 +284,17 @@ in {
 
       phpfpm = lib.mkIf useNginx {
         pools.zoneminder = {
-          listen = socket;
+          socketName = "zoneminder";
+          phpPackage = pkgs.php;
+          user = "${user}";
+          group = "${group}";
           phpOptions = ''
             date.timezone = "${config.time.timeZone}"
 
             ${lib.concatStringsSep "\n" (map (e:
             "extension=${e.pkg}/lib/php/extensions/${e.name}.so") phpExtensions)}
           '';
           extraConfig = ''
-            user = ${user}
-            group = ${group}
-
             listen.owner = ${user}
             listen.group = ${group}
             listen.mode = 0660

nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix

@@ -1,7 +1,6 @@
 { config, lib, pkgs, ... }: with lib; let
   cfg = config.services.icingaweb2;
   poolName = "icingaweb2";
-  phpfpmSocketName = "/var/run/phpfpm/${poolName}.sock";
 
   defaultConfig = {
     global = {
@@ -162,19 +161,23 @@ in {
   };
 
   config = mkIf cfg.enable {
-    services.phpfpm.poolConfigs = mkIf (cfg.pool == "${poolName}") {
-      "${poolName}" = ''
-        listen = "${phpfpmSocketName}"
-        listen.owner = nginx
-        listen.group = nginx
-        listen.mode = 0600
-        user = icingaweb2
-        pm = dynamic
-        pm.max_children = 75
-        pm.start_servers = 2
-        pm.min_spare_servers = 2
-        pm.max_spare_servers = 10
-      '';
+    services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
+      "${poolName}" = {
+        socketName = "${poolName}";
+        phpPackage = pkgs.php;
+        user = "icingaweb2";
+        group = "icingaweb2";
+        extraConfig = ''
+          listen.owner = ${config.services.nginx.user}
+          listen.group = ${config.services.nginx.group}
+          listen.mode = 0600
+          pm = dynamic
+          pm.max_children = 75
+          pm.start_servers = 2
+          pm.min_spare_servers = 2
+          pm.max_spare_servers = 10
+        '';
+      };
     };
 
     services.phpfpm.phpOptions = mkIf (cfg.pool == "${poolName}")
@@ -206,7 +209,7 @@ in {
             include ${config.services.nginx.package}/conf/fastcgi.conf;
             try_files $uri =404;
             fastcgi_split_path_info ^(.+\.php)(/.+)$;
-            fastcgi_pass unix:${phpfpmSocketName};
+            fastcgi_pass unix:/run/phpfpm-${poolName}/${poolName}.sock;
             fastcgi_param SCRIPT_FILENAME ${pkgs.icingaweb2}/public/index.php;
           '';
         };
@@ -239,5 +242,8 @@ in {
       group = "icingaweb2";
       isSystemUser = true;
     };
+    users.users.nginx = {
+      extraGroups = [ "icingaweb2" ];
+    };
   };
 }

nixos/modules/services/web-apps/limesurvey.nix

@@ -202,13 +202,13 @@ in
     };
 
     services.phpfpm.pools.limesurvey = {
+      socketName = "limesurvey";
       phpPackage = php;
-      listen = "/run/phpfpm/limesurvey.sock";
+      user = "${user}";
+      group = "${group}";
       extraConfig = ''
         listen.owner = ${config.services.httpd.user};
         listen.group = ${config.services.httpd.group};
-        user = ${user};
-        group = ${group};
 
         env[LIMESURVEY_CONFIG] = ${limesurveyConfig}
 
@@ -241,7 +241,7 @@ in
             <Directory "${pkg}/share/limesurvey">
               <FilesMatch "\.php$">
                 <If "-f %{REQUEST_FILENAME}">
-                  SetHandler "proxy:unix:/run/phpfpm/limesurvey.sock|fcgi://localhost/"
+                  SetHandler "proxy:unix:/run/phpfpm-limesurvey/limesurvey.sock|fcgi://localhost/"
                 </If>
               </FilesMatch>
 

nixos/modules/services/web-apps/matomo.nix

@@ -4,13 +4,14 @@ let
   cfg = config.services.matomo;
 
   user = "matomo";
+  group = "matomo";
   dataDir = "/var/lib/${user}";
   deprecatedDataDir = "/var/lib/piwik";
 
   pool = user;
-  # it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770,
+  # it's not possible to use /run/phpfpm-${pool}/${pool}.sock because /run/phpfpm/ is root:root 0770,
   # and therefore is not accessible by the web server.
-  phpSocket = "/run/phpfpm-${pool}.sock";
+  phpSocket = "/run/phpfpm-${pool}/${pool}.sock";
   phpExecutionUnit = "phpfpm-${pool}";
   databaseService = "mysql.service";
 
@@ -137,9 +138,12 @@ in {
       isSystemUser = true;
       createHome = true;
       home = dataDir;
-      group  = user;
+      group  = "${group}";
     };
-    users.groups.${user} = {};
+    users.users.${config.services.nginx.user} = {
+      extraGroups = [ "${group}" ];
+    };
+    users.groups.${group} = {};
 
     systemd.services.matomo-setup-update = {
       # everything needs to set up and up to date before Matomo php files are executed
@@ -169,7 +173,7 @@ in {
           echo "Migrating from ${deprecatedDataDir} to ${dataDir}"
           mv -T ${deprecatedDataDir} ${dataDir}
         fi
-        chown -R ${user}:${user} ${dataDir}
+        chown -R ${user}:${group} ${dataDir}
         chmod -R ug+rwX,o-rwx ${dataDir}
         '';
       script = ''
@@ -225,22 +229,26 @@ in {
       serviceConfig.UMask = "0007";
     };
 
-    services.phpfpm.poolConfigs = let
+    services.phpfpm.pools = let
       # workaround for when both are null and need to generate a string,
       # which is illegal, but as assertions apparently are being triggered *after* config generation,
       # we have to avoid already throwing errors at this previous stage.
       socketOwner = if (cfg.nginx != null) then config.services.nginx.user
       else if (cfg.webServerUser != null) then cfg.webServerUser else "";
     in {
-      ${pool} = ''
-        listen = "${phpSocket}"
-        listen.owner = ${socketOwner}
-        listen.group = root
-        listen.mode = 0600
-        user = ${user}
-        env[PIWIK_USER_PATH] = ${dataDir}
-        ${cfg.phpfpmProcessManagerConfig}
-      '';
+      ${pool} = {
+        socketName = "${pool}";
+        phpPackage = pkgs.php;
+        user = "${user}";
+        group = "${group}";
+        extraConfig = ''
+          listen.owner = ${socketOwner}
+          listen.group = ${group}
+          listen.mode = 0600
+          env[PIWIK_USER_PATH] = ${dataDir}
+          ${cfg.phpfpmProcessManagerConfig}
+        '';
+      };
     };
 
 

nixos/modules/services/web-apps/nextcloud.nix

@@ -394,13 +394,14 @@ in {
                 phpOptions)));
         in {
           phpOptions = phpOptionsExtensions;
+          socketName = "nextcloud";
           phpPackage = phpPackage;
-          listen = "/run/phpfpm/nextcloud";
+          user = "nextcloud";
+          group = "${config.services.nginx.group}";
           extraConfig = ''
-            listen.owner = nginx
-            listen.group = nginx
-            user = nextcloud
-            group = nginx
+            listen.owner = ${config.services.nginx.user}
+            listen.group = ${config.services.nginx.group}
+            listen.mode = 0600
             ${cfg.poolConfig}
             env[NEXTCLOUD_CONFIG_DIR] = ${cfg.home}/config
             env[PATH] = /run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin
@@ -466,7 +467,7 @@ in {
                   fastcgi_param HTTPS ${if cfg.https then "on" else "off"};
                   fastcgi_param modHeadersAvailable true;
                   fastcgi_param front_controller_active true;
-                  fastcgi_pass unix:/run/phpfpm/nextcloud;
+                  fastcgi_pass unix:/run/phpfpm-nextcloud/nextcloud.sock;
                   fastcgi_intercept_errors on;
                   fastcgi_request_buffering off;
                   fastcgi_read_timeout 120s;

nixos/modules/services/web-apps/restya-board.nix

@@ -13,7 +13,7 @@ let
   runDir = "/run/restya-board";
 
   poolName = "restya-board";
-  phpfpmSocketName = "/run/phpfpm/${poolName}.sock";
+  phpfpmSocketName = "/run/phpfpm-${poolName}/${poolName}.sock";
 
 in
 
@@ -178,9 +178,12 @@ in
 
   config = mkIf cfg.enable {
 
-    services.phpfpm.poolConfigs = {
+    services.phpfpm.pools = {
       "${poolName}" = {
-        listen = phpfpmSocketName;
+        socketName = "${poolName}";
+        phpPackage = pkgs.php;
+        user = "${cfg.user}";
+        group = "${cfg.group}";
         phpOptions = ''
           date.timezone = "CET"
 
@@ -192,11 +195,9 @@ in
           ''}
         '';
         extraConfig = ''
-          listen.owner = nginx
-          listen.group = nginx
+          listen.owner = ${config.services.nginx.user}
+          listen.group = ${config.services.nginx.group}
           listen.mode = 0600
-          user = ${cfg.user}
-          group = ${cfg.group}
           pm = dynamic
           pm.max_children = 75
           pm.start_servers = 10
@@ -365,6 +366,9 @@ in
       home = runDir;
       group  = "restya-board";
     };
+    users.users.nginx = {
+      extraGroups = [ "restya-board" ];
+     };
     users.groups.restya-board = {};
 
     services.postgresql.enable = mkIf (cfg.database.host == null) true;