Verified Commit 230cc79a authored by Jelle van der Waa's avatar Jelle van der Waa 🚧

Migrate bugtracker to php7 package

As flyspray does not support PHP 8 as of yet, transition to the php7
package by simply introducing a new php7_fpm role.
parent 872cfd84
Pipeline #5210 failed with stage
in 45 seconds
......@@ -12,7 +12,7 @@
- { role: nginx }
- { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True }
- { role: sudo }
- { role: php_fpm, php_extensions: ['mysqli'], zend_extensions: ['opcache'] }
- { role: php7_fpm, php_extensions: ['mysqli'], zend_extensions: ['opcache'] }
- { role: flyspray }
- { role: borg_client, tags: ["borg"] }
- { role: postfix, postfix_relayhost: "mail.archlinux.org" }
......
......@@ -62,10 +62,10 @@
- name: configure php-fpm
template:
src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ flyspray_user }}.conf"
src=php-fpm.conf.j2 dest="/etc/php7/php-fpm.d/{{ flyspray_user }}.conf"
owner=root group=root mode=0644
notify:
- restart php-fpm@flyspray
- restart php-fpm7@flyspray
- name: install fail2ban register ban filter
template: src=fail2ban.filter.j2 dest=/etc/fail2ban/filter.d/nginx-flyspray-register.local owner=root group=root mode=0644
......@@ -82,4 +82,4 @@
- fail2ban
- name: start and enable systemd socket
service: name=php-fpm@flyspray.socket state=started enabled=true
service: name=php-fpm7@flyspray.socket state=started enabled=true
upstream flyspray {
server unix:///run/php-fpm/flyspray.socket;
server unix:///run/php-fpm7/flyspray.socket;
}
server {
......
......@@ -3,7 +3,7 @@ error_log = syslog
daemonize = no
[{{ flyspray_user }}]
listen = /run/php-fpm/flyspray.socket
listen = /run/php-fpm7/flyspray.socket
listen.owner = {{ flyspray_user }}
listen.group = http
listen.mode = 0660
......
---
php_extensions:
- curl
- zip
zend_extensions:
- opcache
[Unit]
Description=PHP-FPM service for %i
After=syslog.target network.target
After=mysqld.service postfix.service
Requires=php-fpm7@.socket
[Service]
Type=notify
PrivateTmp=true
NoNewPrivileges=true
;PrivateNetwork=true
PrivateDevices=true
# AURweb's rendercomment script git bindings requires access to /home:
# failed to stat '/home/aur/.gitconfig
ProtectHome=tmpfs
ProtectSystem=full
InaccessiblePaths=-/var/lib/mysql
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectClock=true
RestrictRealtime=true
RestrictNamespaces=true
# Restricts the set of socket address families accessible to the processes of this unit.
# Protects against vulnerabilities such as CVE-2016-8655
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
MemoryAccounting=yes
CPUAccounting=yes
IOAccounting=yes
User=%i
Group=%i
Environment="FPM_SOCKETS=/run/php-fpm7/%i.socket=3"
ExecStart=/usr/bin/php-fpm7 --nodaemonize --fpm-config /etc/php7/php-fpm.d/%i.conf
ExecReload=/bin/kill -USR2 $MAINPID
[Install]
WantedBy=multi-user.target
[Unit]
Description=PHP-FPM socket for %i
[Socket]
ListenStream=/run/php-fpm7/%i.socket
SocketMode=0660
SocketUser=%i
SocketGroup=http
[Install]
WantedBy=sockets.target
---
- name: daemon reload
systemd:
daemon-reload: yes
---
- name: install php7-fpm
pacman: name=php7-fpm,php7-gd,php7-pgsql state=present
- name: install php7-fpm units
copy: >
src={{ item }} dest=/etc/systemd/system/{{ item }}
owner=root group=root mode=0644
with_items:
- php-fpm7@.socket
- php-fpm7@.service
notify: daemon reload
- name: configure default php.ini
template: >
src=php.ini.j2 dest=/etc/php7/php.ini
owner=root group=root mode=0644
This diff is collapsed.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment