phpfpm service: one service per pool for isolation

[fpletz]

Motivation for this change

Previously, we used one php-fpm process to manage all pools. While this is the default configuration we can do better and leverage systemd services hardening to improve isolation between pools running on the same system.

We are still using php-fpm to change uid and gid in order to maintain compatibility with existing configs for now.

Things done

• Tested using sandboxing
  (nix.useSandbox on NixOS,
  or option build-use-sandbox in nix.conf
  on non-NixOS)
• Built on platform(s)
  • NixOS
• Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Fits CONTRIBUTING.md.

---

[peterhoeg]

Nice!

Couple of comments:

1. I imagine that the reason for not using instantiated services (phpfpm@foo.service) is due to NixOS's rather poor support for that, correct?
2. It might make sense to stick them all into the same slice: Slice=phpfpm.slice to allow resource allocations for all workers
3. Having a phpfpm.target that pulls in all the units and then have multi-user.target pull in phpfpm.target makes it a lot easier to stop/start all at one go

[fpletz]

I imagine that the reason for not using instantiated services (phpfpm@foo.service) is due to NixOS's rather poor support for that, correct?

Yup.

It might make sense to stick them all into the same slice: Slice=phpfpm.slice to allow resource allocations for all workers

Great idea! 👍

Having a phpfpm.target that pulls in all the units and then have multi-user.target pull in phpfpm.target makes it a lot easier to stop/start all at one go

Yeah, also great idea. 👍

I will implement both suggestions before merging this. Thanks!