From b7db2c63ed5984c4886731943d6cabefe4a05fb1 Mon Sep 17 00:00:00 2001 From: Christopher Baines Date: Sat, 25 Nov 2017 09:10:48 +0000 Subject: web: Don't error about missing ssl related files. Erroring here prevents doing things like building a system using nginx on a different machine from where it's intended to be deployed, or creating containers and VMs that use the ssl-certificate parts of the nginx configuration, without also getting these files to exist. * gnu/services/web.scm (emit-nginx-server-config): Don't error on missing ssl related files. --- gnu/services/web.scm | 10 ---------- 1 file changed, 10 deletions(-) (limited to 'gnu/services/web.scm') diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 9d713003c3..1af32278c1 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -191,16 +191,6 @@ (define-syntax-rule (and/l x tail ...) (syntax-parameterize ((<> (identifier-syntax x*))) (list tail ...)) '()))) - (for-each - (match-lambda - ((record-key . file) - (if (and file (not (file-exists? file))) - (error - (simple-format - #f - "~A in the nginx configuration for the server with name \"~A\" does not exist" record-key server-name))))) - `(("ssl-certificate" . ,ssl-certificate) - ("ssl-certificate-key" . ,ssl-certificate-key))) (list " server {\n" (and/l http-port " listen " (number->string <>) ";\n") -- cgit v1.2.3 From c48aa70a9aa68ac6f365663044357be77eb9e36a Mon Sep 17 00:00:00 2001 From: Christopher Baines Date: Sat, 9 Dec 2017 09:24:07 +0000 Subject: services: web: Remove default certificate and key files for nginx. If nginx is configured with a ssl-certificate file, and ssl-certificate-key, it will fail to start unless these exist. To avoid this happening, change the default to #f. * gnu/services/web.scm () [ssl-certificate,ssl-certificate-key]: Set the defaults to #f. * gnu/tests/web.scm (%nginx-servers): Remove redundant nginx-server-configuration fields. * doc/guix.texi (Web Services): Update examples and documentation. --- doc/guix.texi | 20 ++++---------------- gnu/services/web.scm | 4 ++-- gnu/tests/web.scm | 5 +---- 3 files changed, 7 insertions(+), 22 deletions(-) (limited to 'gnu/services/web.scm') diff --git a/doc/guix.texi b/doc/guix.texi index 23ccfa2f68..35f895bb4f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -14813,10 +14813,7 @@ A simple example configuration is given below. (server-blocks (list (nginx-server-configuration (server-name '("www.example.com")) - (root "/srv/http/www.example.com") - (https-port #f) - (ssl-certificate #f) - (ssl-certificate-key #f)))))) + (root "/srv/http/www.example.com")))))) @end example In addition to adding server blocks to the service configuration @@ -14826,9 +14823,6 @@ blocks, as in this example: @example (simple-service 'my-extra-server nginx-service-type (list (nginx-server-configuration - (https-port #f) - (ssl-certificate #f) - (ssl-certificate-key #f) (root "/srv/http/extra-website") (try-files (list "$uri" "$uri/index.html"))))) @end example @@ -14873,10 +14867,7 @@ HTTPS. (server-blocks (list (nginx-server-configuration (server-name '("www.example.com")) - (root "/srv/http/www.example.com") - (https-port #f) - (ssl-certificate #f) - (ssl-certificate-key #f)))))) + (root "/srv/http/www.example.com")))))) @end example @item @code{upstream-blocks} (default: @code{'()}) @@ -14899,9 +14890,6 @@ requests with two servers. (list (nginx-server-configuration (server-name '("www.example.com")) (root "/srv/http/www.example.com") - (https-port #f) - (ssl-certificate #f) - (ssl-certificate-key #f) (locations (list (nginx-location-configuration @@ -14965,11 +14953,11 @@ Nginx will send the list of files in the directory. A list of files whose existence is checked in the specified order. @code{nginx} will use the first file it finds to process the request. -@item @code{ssl-certificate} (default: @code{"/etc/nginx/cert.pem"}) +@item @code{ssl-certificate} (default: @code{#f}) Where to find the certificate for secure connections. Set it to @code{#f} if you don't have a certificate or you don't want to use HTTPS. -@item @code{ssl-certificate-key} (default: @code{"/etc/nginx/key.pem"}) +@item @code{ssl-certificate-key} (default: @code{#f}) Where to find the private key for secure connections. Set it to @code{#f} if you don't have a key or you don't want to use HTTPS. diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 1af32278c1..51cd9da1dd 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -102,9 +102,9 @@ (define-record-type* (try-files nginx-server-configuration-try-files (default '())) (ssl-certificate nginx-server-configuration-ssl-certificate - (default "/etc/nginx/cert.pem")) + (default #f)) (ssl-certificate-key nginx-server-configuration-ssl-certificate-key - (default "/etc/nginx/key.pem")) + (default #f)) (server-tokens? nginx-server-configuration-server-tokens? (default #f))) diff --git a/gnu/tests/web.scm b/gnu/tests/web.scm index 3fa272c676..de7ab3cd65 100644 --- a/gnu/tests/web.scm +++ b/gnu/tests/web.scm @@ -45,10 +45,7 @@ (define %nginx-servers ;; Server blocks. (list (nginx-server-configuration (root "/srv") - (http-port 8042) - (https-port #f) - (ssl-certificate #f) - (ssl-certificate-key #f)))) + (http-port 8042)))) (define %nginx-os ;; Operating system under test. -- cgit v1.2.3 From 2881f85220c05809527d2f2a8b8d71b7a67bc604 Mon Sep 17 00:00:00 2001 From: Christopher Baines Date: Sat, 25 Nov 2017 11:57:37 +0000 Subject: services: web: Add support for configuring the nginx server names hash. The nginx service can fail to start if the server names hash bucket size is too small, which can happen on some systems, and when using QEMU, depending on the CPU. * gnu/services/web.scm (): Add server-names-hash-bucket-size and server-names-hash-bucket-max-size. (default-nginx-config): Add support for the new hash bucket size parameters. (nginx-service, nginx-activation): Pass the new hash bucket size parameters through to the default-nginx-config procedure. * doc/guix.texi (Web Services): Document the new hash bucket size parameters. --- doc/guix.texi | 7 +++++++ gnu/services/web.scm | 36 +++++++++++++++++++++++++++++++----- 2 files changed, 38 insertions(+), 5 deletions(-) (limited to 'gnu/services/web.scm') diff --git a/doc/guix.texi b/doc/guix.texi index 35f895bb4f..592cae5d59 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -14913,6 +14913,13 @@ This can be useful if you have an existing configuration file, or it's not possible to do what is required through the other parts of the nginx-configuration record. +@item @code{server-names-hash-bucket-size} (default: @code{#f}) +Bucket size for the server names hash tables, defaults to @code{#f} to +use the size of the processors cache line. + +@item @code{server-names-hash-bucket-max-size} (default: @code{#f}) +Maximum bucket size for the server names hash tables. + @end table @end deffn diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 51cd9da1dd..9692084285 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -38,6 +38,8 @@ (define-module (gnu services web) nginx-configuration-run-directory nginx-configuration-server-blocks nginx-configuration-upstream-blocks + nginx-configuration-server-names-hash-bucket-size + nginx-configuration-server-names-hash-bucket-max-size nginx-configuration-file @@ -141,6 +143,10 @@ (define-record-type* (default '())) ;list of (upstream-blocks nginx-configuration-upstream-blocks (default '())) ;list of + (server-names-hash-bucket-size nginx-configuration-server-names-hash-bucket-size + (default #f)) + (server-names-hash-bucket-max-size nginx-configuration-server-names-hash-bucket-max-size + (default #f)) (file nginx-configuration-file ;#f | string | file-like (default #f))) @@ -225,7 +231,9 @@ (define (flatten1 head out) (cons head out))) (fold-right flatten1 '() lst)) -(define (default-nginx-config nginx log-directory run-directory server-list upstream-list) +(define (default-nginx-config nginx log-directory run-directory server-list + upstream-list server-names-hash-bucket-size + server-names-hash-bucket-max-size) (apply mixed-text-file "nginx.conf" (flatten "user nginx nginx;\n" @@ -239,6 +247,18 @@ (define (default-nginx-config nginx log-directory run-directory server-list upst " scgi_temp_path " run-directory "/scgi_temp;\n" " access_log " log-directory "/access.log;\n" " include " nginx "/share/nginx/conf/mime.types;\n" + (if server-names-hash-bucket-size + (string-append + " server_names_hash_bucket_size " + (number->string server-names-hash-bucket-size) + ";\n") + "") + (if server-names-hash-bucket-max-size + (string-append + " server_names_hash_bucket_max_size " + (number->string server-names-hash-bucket-max-size) + ";\n") + "") "\n" (map emit-nginx-upstream-config upstream-list) (map emit-nginx-server-config server-list) @@ -258,7 +278,8 @@ (define %nginx-accounts (define nginx-activation (match-lambda (($ nginx log-directory run-directory server-blocks - upstream-blocks file) + upstream-blocks server-names-hash-bucket-size + server-names-hash-bucket-max-size file) #~(begin (use-modules (guix build utils)) @@ -279,13 +300,16 @@ (define nginx-activation (system* (string-append #$nginx "/sbin/nginx") "-c" #$(or file (default-nginx-config nginx log-directory - run-directory server-blocks upstream-blocks)) + run-directory server-blocks upstream-blocks + server-names-hash-bucket-size + server-names-hash-bucket-max-size)) "-t"))))) (define nginx-shepherd-service (match-lambda (($ nginx log-directory run-directory server-blocks - upstream-blocks file) + upstream-blocks server-names-hash-bucket-size + server-names-hash-bucket-max-size file) (let* ((nginx-binary (file-append nginx "/sbin/nginx")) (nginx-action (lambda args @@ -294,7 +318,9 @@ (define nginx-shepherd-service (system* #$nginx-binary "-c" #$(or file (default-nginx-config nginx log-directory - run-directory server-blocks upstream-blocks)) + run-directory server-blocks upstream-blocks + server-names-hash-bucket-size + server-names-hash-bucket-max-size)) #$@args)))))) ;; TODO: Add 'reload' action. -- cgit v1.2.3 From 472368a8ac3dc388278cefd98a6695e27300f1ba Mon Sep 17 00:00:00 2001 From: Christopher Baines Date: Sun, 3 Dec 2017 19:36:40 +0000 Subject: services: web: Switch nginx related functions to use match-record. As this is less prone to mistakes than match. * gnu/services/web.scm (default-nginx-config, nginx-activation, nginx-shepherd-service): Switch from using match-lambda to match-record. --- gnu/services/web.scm | 166 +++++++++++++++++++++++++-------------------------- 1 file changed, 81 insertions(+), 85 deletions(-) (limited to 'gnu/services/web.scm') diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 9692084285..7f338039e0 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -231,39 +231,43 @@ (define (flatten1 head out) (cons head out))) (fold-right flatten1 '() lst)) -(define (default-nginx-config nginx log-directory run-directory server-list - upstream-list server-names-hash-bucket-size - server-names-hash-bucket-max-size) - (apply mixed-text-file "nginx.conf" - (flatten - "user nginx nginx;\n" - "pid " run-directory "/pid;\n" - "error_log " log-directory "/error.log info;\n" - "http {\n" - " client_body_temp_path " run-directory "/client_body_temp;\n" - " proxy_temp_path " run-directory "/proxy_temp;\n" - " fastcgi_temp_path " run-directory "/fastcgi_temp;\n" - " uwsgi_temp_path " run-directory "/uwsgi_temp;\n" - " scgi_temp_path " run-directory "/scgi_temp;\n" - " access_log " log-directory "/access.log;\n" - " include " nginx "/share/nginx/conf/mime.types;\n" - (if server-names-hash-bucket-size - (string-append - " server_names_hash_bucket_size " - (number->string server-names-hash-bucket-size) - ";\n") - "") - (if server-names-hash-bucket-max-size - (string-append - " server_names_hash_bucket_max_size " - (number->string server-names-hash-bucket-max-size) - ";\n") - "") - "\n" - (map emit-nginx-upstream-config upstream-list) - (map emit-nginx-server-config server-list) - "}\n" - "events {}\n"))) +(define (default-nginx-config config) + (match-record config + + (nginx log-directory run-directory + server-blocks upstream-blocks + server-names-hash-bucket-size + server-names-hash-bucket-max-size) + (apply mixed-text-file "nginx.conf" + (flatten + "user nginx nginx;\n" + "pid " run-directory "/pid;\n" + "error_log " log-directory "/error.log info;\n" + "http {\n" + " client_body_temp_path " run-directory "/client_body_temp;\n" + " proxy_temp_path " run-directory "/proxy_temp;\n" + " fastcgi_temp_path " run-directory "/fastcgi_temp;\n" + " uwsgi_temp_path " run-directory "/uwsgi_temp;\n" + " scgi_temp_path " run-directory "/scgi_temp;\n" + " access_log " log-directory "/access.log;\n" + " include " nginx "/share/nginx/conf/mime.types;\n" + (if server-names-hash-bucket-size + (string-append + " server_names_hash_bucket_size " + (number->string server-names-hash-bucket-size) + ";\n") + "") + (if server-names-hash-bucket-max-size + (string-append + " server_names_hash_bucket_max_size " + (number->string server-names-hash-bucket-max-size) + ";\n") + "") + "\n" + (map emit-nginx-upstream-config upstream-blocks) + (map emit-nginx-server-config server-blocks) + "}\n" + "events {}\n")))) (define %nginx-accounts (list (user-group (name "nginx") (system? #t)) @@ -275,61 +279,53 @@ (define %nginx-accounts (home-directory "/var/empty") (shell (file-append shadow "/sbin/nologin"))))) -(define nginx-activation - (match-lambda - (($ nginx log-directory run-directory server-blocks - upstream-blocks server-names-hash-bucket-size - server-names-hash-bucket-max-size file) - #~(begin - (use-modules (guix build utils)) +(define (nginx-activation config) + (match-record config + + (nginx log-directory run-directory file) + #~(begin + (use-modules (guix build utils)) - (format #t "creating nginx log directory '~a'~%" #$log-directory) - (mkdir-p #$log-directory) - (format #t "creating nginx run directory '~a'~%" #$run-directory) - (mkdir-p #$run-directory) - (format #t "creating nginx temp directories '~a/{client_body,proxy,fastcgi,uwsgi,scgi}_temp'~%" #$run-directory) - (mkdir-p (string-append #$run-directory "/client_body_temp")) - (mkdir-p (string-append #$run-directory "/proxy_temp")) - (mkdir-p (string-append #$run-directory "/fastcgi_temp")) - (mkdir-p (string-append #$run-directory "/uwsgi_temp")) - (mkdir-p (string-append #$run-directory "/scgi_temp")) - ;; Start-up logs. Once configuration is loaded, nginx switches to - ;; log-directory. - (mkdir-p (string-append #$run-directory "/logs")) - ;; Check configuration file syntax. - (system* (string-append #$nginx "/sbin/nginx") - "-c" #$(or file - (default-nginx-config nginx log-directory - run-directory server-blocks upstream-blocks - server-names-hash-bucket-size - server-names-hash-bucket-max-size)) - "-t"))))) + (format #t "creating nginx log directory '~a'~%" #$log-directory) + (mkdir-p #$log-directory) + (format #t "creating nginx run directory '~a'~%" #$run-directory) + (mkdir-p #$run-directory) + (format #t "creating nginx temp directories '~a/{client_body,proxy,fastcgi,uwsgi,scgi}_temp'~%" #$run-directory) + (mkdir-p (string-append #$run-directory "/client_body_temp")) + (mkdir-p (string-append #$run-directory "/proxy_temp")) + (mkdir-p (string-append #$run-directory "/fastcgi_temp")) + (mkdir-p (string-append #$run-directory "/uwsgi_temp")) + (mkdir-p (string-append #$run-directory "/scgi_temp")) + ;; Start-up logs. Once configuration is loaded, nginx switches to + ;; log-directory. + (mkdir-p (string-append #$run-directory "/logs")) + ;; Check configuration file syntax. + (system* (string-append #$nginx "/sbin/nginx") + "-c" #$(or file + (default-nginx-config config)) + "-t")))) -(define nginx-shepherd-service - (match-lambda - (($ nginx log-directory run-directory server-blocks - upstream-blocks server-names-hash-bucket-size - server-names-hash-bucket-max-size file) - (let* ((nginx-binary (file-append nginx "/sbin/nginx")) - (nginx-action - (lambda args - #~(lambda _ - (zero? - (system* #$nginx-binary "-c" - #$(or file - (default-nginx-config nginx log-directory - run-directory server-blocks upstream-blocks - server-names-hash-bucket-size - server-names-hash-bucket-max-size)) - #$@args)))))) +(define (nginx-shepherd-service config) + (match-record config + + (nginx file run-directory) + (let* ((nginx-binary (file-append nginx "/sbin/nginx")) + (nginx-action + (lambda args + #~(lambda _ + (zero? + (system* #$nginx-binary "-c" + #$(or file + (default-nginx-config config)) + #$@args)))))) - ;; TODO: Add 'reload' action. - (list (shepherd-service - (provision '(nginx)) - (documentation "Run the nginx daemon.") - (requirement '(user-processes loopback)) - (start (nginx-action "-p" run-directory)) - (stop (nginx-action "-s" "stop")))))))) + ;; TODO: Add 'reload' action. + (list (shepherd-service + (provision '(nginx)) + (documentation "Run the nginx daemon.") + (requirement '(user-processes loopback)) + (start (nginx-action "-p" run-directory)) + (stop (nginx-action "-s" "stop"))))))) (define nginx-service-type (service-type (name 'nginx) -- cgit v1.2.3 From 64bae7237c65b32d97e16ff6802124c26867754a Mon Sep 17 00:00:00 2001 From: nee Date: Mon, 9 Oct 2017 23:06:05 +0200 Subject: gnu: services: Add php-fpm. * gnu/services/web.scm (, ): New record types. (php-fpm-configuration?, php-fpm-process-manager-configuration?, php-fpm-service-type, nginx-php-location): New procedures. * doc/guix.texi (Web-Services): Document php-fpm service. * gnu/tests/web.scm: Add php-fpm system test. Signed-off-by: Christopher Baines --- doc/guix.texi | 140 +++++++++++++++++++++++++++++ gnu/services/web.scm | 247 ++++++++++++++++++++++++++++++++++++++++++++++++++- gnu/tests/web.scm | 123 ++++++++++++++++++++++++- 3 files changed, 508 insertions(+), 2 deletions(-) (limited to 'gnu/services/web.scm') diff --git a/doc/guix.texi b/doc/guix.texi index 592cae5d59..bbeef47ec1 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -44,6 +44,7 @@ Copyright @copyright{} 2017 Tobias Geerinckx-Rice@* Copyright @copyright{} 2017 George Clemmer@* Copyright @copyright{} 2017 Andy Wingo@* Copyright @copyright{} 2017 Arun Isaac +Copyright @copyright{} 2017 nee Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -15081,6 +15082,145 @@ capability also has to be configured on the front-end as well. @end table @end deftp +@cindex php-fpm +PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation +with some additional features useful for sites of any size. + +These features include: +@itemize @bullet +@item Adaptive process spawning +@item Basic statistics (similar to Apache's mod_status) +@item Advanced process management with graceful stop/start +@item Ability to start workers with different uid/gid/chroot/environment +and different php.ini (replaces safe_mode) +@item Stdout & stderr logging +@item Emergency restart in case of accidental opcode cache destruction +@item Accelerated upload support +@item Support for a "slowlog" +@item Enhancements to FastCGI, such as fastcgi_finish_request() - +a special function to finish request & flush all data while continuing to do +something time-consuming (video converting, stats processing, etc.) +@end itemize +... and much more. + +@defvr {Scheme Variable} php-fpm-service-type +A Service type for @code{php-fpm}. +@end defvr + +@deftp {Data Type} php-fpm-configuration +Data Type for php-fpm service configuration. +@table @asis +@item @code{php} (default: @code{php}) +The php package to use. +@item @code{socket} (default: @code{(string-append "/var/run/php" (version-major (package-version php)) "-fpm.sock")}) +The address on which to accept FastCGI requests. Valid syntaxes are: +@table @asis +@item @code{"ip.add.re.ss:port"} +Listen on a TCP socket to a specific address on a specific port. +@item @code{"port"} +Listen on a TCP socket to all addresses on a specific port. +@item @code{"/path/to/unix/socket"} +Listen on a unix socket. +@end table + +@item @code{user} (default: @code{php-fpm}) +User who will own the php worker processes. +@item @code{group} (default: @code{php-fpm}) +Group of the worker processes. +@item @code{socket-user} (default: @code{php-fpm}) +User who can speak to the php-fpm socket. +@item @code{socket-group} (default: @code{php-fpm}) +Group that can speak to the php-fpm socket. +@item @code{pid-file} (default: @code{(string-append "/var/run/php" (version-major (package-version php)) "-fpm.pid")}) +The process id of the php-fpm process is written to this file +once the service has started. +@item @code{log-file} (default: @code{(string-append "/var/log/php" (version-major (package-version php)) "-fpm.log")}) +Log for the php-fpm master process. +@item @code{process-manager} (default: @code{(php-fpm-dynamic-process-manager-configuration)}) +Detailed settings for the php-fpm process manager. +Must be either: +@table @asis +@item @code{} +@item @code{} +@item @code{} +@end table +@item @code{display-errors} (default @code{#f}) +Determines wether php errors and warning should be sent to clients +and displayed in their browsers. +This is useful for local php development, but a security risk for public sites, +as error messages can reveal passwords and personal data. +@item @code{workers-logfile} (default @code{(string-append "/var/log/php" (version-major (package-version php)) "-fpm.www.log")}) +This file will log the @code{stderr} outputs of php worker processes. +Can be set to @code{#f} to disable logging. +@item @code{file} (default @code{#f}) +An optional override of the whole configuration. +You can use the @code{mixed-text-file} function or an absolute filepath for it. +@end table +@end deftp + +@deftp {Data type} php-fpm-dynamic-process-manager-configuration +Data Type for the @code{dynamic} php-fpm process manager. With the +@code{dynamic} process manager, spare worker processes are kept around +based on it's configured limits. +@table @asis +@item @code{max-children} (default: @code{5}) +Maximum of worker processes. +@item @code{start-servers} (default: @code{2}) +How many worker processes should be started on start-up. +@item @code{min-spare-servers} (default: @code{1}) +How many spare worker processes should be kept around at minimum. +@item @code{max-spare-servers} (default: @code{3}) +How many spare worker processes should be kept around at maximum. +@end table +@end deftp + +@deftp {Data type} php-fpm-static-process-manager-configuration +Data Type for the @code{static} php-fpm process manager. With the +@code{static} process manager, an unchanging number of worker processes +are created. +@table @asis +@item @code{max-children} (default: @code{5}) +Maximum of worker processes. +@end table +@end deftp + +@deftp {Data type} php-fpm-on-demand-process-manager-configuration +Data Type for the @code{on-demand} php-fpm process manager. With the +@code{on-demand} process manager, worker processes are only created as +requests arrive. +@table @asis +@item @code{max-children} (default: @code{5}) +Maximum of worker processes. +@item @code{process-idle-timeout} (default: @code{10}) +The time in seconds after which a process with no requests is killed. +@end table +@end deftp + + +@deffn {Scheme Procedure} nginx-php-fpm-location @ + [#:nginx-package nginx] @ + [socket (string-append "/var/run/php" @ + (version-major (package-version php)) @ + "-fpm.sock")] +A helper function to quickly add php to an @code{nginx-server-configuration}. +@end deffn + +A simple services setup for nginx with php can look like this: +@example +(services (cons* (dhcp-client-service) + (service php-fpm-service-type) + (service nginx-service-type + (nginx-server-configuration + (server-name '("example.com")) + (root "/srv/http/") + (locations + (list (nginx-php-location))) + (https-port #f) + (ssl-certificate #f) + (ssl-certificate-key #f))) + %base-services)) +@end example + @node Certificate Services @subsubsection Certificate Services diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 7f338039e0..582cf535cb 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -4,6 +4,7 @@ ;;; Copyright © 2016 ng0 ;;; Copyright © 2016, 2017 Julien Lepiller ;;; Copyright © 2017 Christopher Baines +;;; Copyright © 2017 nee ;;; ;;; This file is part of GNU Guix. ;;; @@ -26,8 +27,11 @@ (define-module (gnu services web) #:use-module (gnu system shadow) #:use-module (gnu packages admin) #:use-module (gnu packages web) + #:use-module (gnu packages php) #:use-module (guix records) #:use-module (guix gexp) + #:use-module ((guix utils) #:select (version-major)) + #:use-module ((guix packages) #:select (package-version)) #:use-module (srfi srfi-1) #:use-module (ice-9 match) #:export ( @@ -78,7 +82,49 @@ (define-module (gnu services web) fcgiwrap-configuration fcgiwrap-configuration? - fcgiwrap-service-type)) + fcgiwrap-service-type + + + php-fpm-configuration + make-php-fpm-configuration + php-fpm-configuration? + php-fpm-configuration-php + php-fpm-configuration-socket + php-fpm-configuration-user + php-fpm-configuration-group + php-fpm-configuration-socket-user + php-fpm-configuration-socket-group + php-fpm-configuration-pid-file + php-fpm-configuration-log-file + php-fpm-configuration-process-manager + php-fpm-configuration-display-errors + php-fpm-configuration-workers-log-file + php-fpm-configuration-file + + + php-fpm-dynamic-process-manager-configuration + make-php-fpm-dynamic-process-manager-configuration + php-fpm-dynamic-process-manager-configuration? + php-fpm-dynamic-process-manager-configuration-max-children + php-fpm-dynamic-process-manager-configuration-start-servers + php-fpm-dynamic-process-manager-configuration-min-spare-servers + php-fpm-dynamic-process-manager-configuration-max-spare-servers + + + php-fpm-static-process-manager-configuration + make-php-fpm-static-process-manager-configuration + php-fpm-static-process-manager-configuration? + php-fpm-static-process-manager-configuration-max-children + + + php-fpm-on-demand-process-manager-configuration + make-php-fpm-on-demand-process-manager-configuration + php-fpm-on-demand-process-manager-configuration? + php-fpm-on-demand-process-manager-configuration-max-children + php-fpm-on-demand-process-manager-configuration-process-idle-timeout + + php-fpm-service-type + nginx-php-location)) ;;; Commentary: ;;; @@ -397,3 +443,202 @@ (define fcgiwrap-service-type (service-extension account-service-type fcgiwrap-accounts))) (default-value (fcgiwrap-configuration)))) + +(define-record-type* php-fpm-configuration + make-php-fpm-configuration + php-fpm-configuration? + (php php-fpm-configuration-php ; + (default php)) + (socket php-fpm-configuration-socket + (default (string-append "/var/run/php" + (version-major (package-version php)) + "-fpm.sock"))) + (user php-fpm-configuration-user + (default "php-fpm")) + (group php-fpm-configuration-group + (default "php-fpm")) + (socket-user php-fpm-configuration-socket-user + (default "php-fpm")) + (socket-group php-fpm-configuration-socket-group + (default "nginx")) + (pid-file php-fpm-configuration-pid-file + (default (string-append "/var/run/php" + (version-major (package-version php)) + "-fpm.pid"))) + (log-file php-fpm-configuration-log-file + (default (string-append "/var/log/php" + (version-major (package-version php)) + "-fpm.log"))) + (process-manager php-fpm-configuration-process-manager + (default (php-fpm-dynamic-process-manager-configuration))) + (display-errors php-fpm-configuration-display-errors + (default #f)) + (workers-log-file php-fpm-configuration-workers-log-file + (default (string-append "/var/log/php" + (version-major (package-version php)) + "-fpm.www.log"))) + (file php-fpm-configuration-file ;#f | file-like + (default #f))) + +(define-record-type* + php-fpm-dynamic-process-manager-configuration + make-php-fpm-dynamic-process-manager-configuration + php-fpm-dynamic-process-manager-configuration? + (max-children php-fpm-dynamic-process-manager-configuration-max-children + (default 5)) + (start-servers php-fpm-dynamic-process-manager-configuration-start-servers + (default 2)) + (min-spare-servers php-fpm-dynamic-process-manager-configuration-min-spare-servers + (default 1)) + (max-spare-servers php-fpm-dynamic-process-manager-configuration-max-spare-servers + (default 3))) + +(define-record-type* + php-fpm-static-process-manager-configuration + make-php-fpm-static-process-manager-configuration + php-fpm-static-process-manager-configuration? + (max-children php-fpm-static-process-manager-configuration-max-children + (default 5))) + +(define-record-type* + php-fpm-on-demand-process-manager-configuration + make-php-fpm-on-demand-process-manager-configuration + php-fpm-on-demand-process-manager-configuration? + (max-children php-fpm-on-demand-process-manager-configuration-max-children + (default 5)) + (process-idle-timeout php-fpm-on-demand-process-manager-configuration-process-idle-timeout + (default 10))) + +(define php-fpm-accounts + (match-lambda + (($ php socket user group socket-user socket-group _ _ _ _ _ _) + (list + (user-group (name "php-fpm") (system? #t)) + (user-group + (name group) + (system? #t)) + (user-account + (name user) + (group group) + (supplementary-groups '("php-fpm")) + (system? #t) + (comment "php-fpm daemon user") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin"))))))) + +(define (default-php-fpm-config socket user group socket-user socket-group + pid-file log-file pm display-errors workers-log-file) + (apply mixed-text-file "php-fpm.conf" + (flatten + "[global]\n" + "pid =" pid-file "\n" + "error_log =" log-file "\n" + "[www]\n" + "user =" user "\n" + "group =" group "\n" + "listen =" socket "\n" + "listen.owner =" socket-user "\n" + "listen.group =" socket-group "\n" + + (match pm + (($ + pm.max-children + pm.start-servers + pm.min-spare-servers + pm.max-spare-servers) + (list + "pm = dynamic\n" + "pm.max_children =" (number->string pm.max-children) "\n" + "pm.start_servers =" (number->string pm.start-servers) "\n" + "pm.min_spare_servers =" (number->string pm.min-spare-servers) "\n" + "pm.max_spare_servers =" (number->string pm.max-spare-servers) "\n")) + + (($ + pm.max-children) + (list + "pm = static\n" + "pm.max_children =" (number->string pm.max-children) "\n")) + + (($ + pm.max-children + pm.process-idle-timeout) + (list + "pm = ondemand\n" + "pm.max_children =" (number->string pm.max-children) "\n" + "pm.process_idle_timeout =" (number->string pm.process-idle-timeout) "s\n"))) + + + "php_flag[display_errors] = " (if display-errors "on" "off") "\n" + + (if workers-log-file + (list "catch_workers_output = yes\n" + "php_admin_value[error_log] =" workers-log-file "\n" + "php_admin_flag[log_errors] = on\n") + (list "catch_workers_output = no\n"))))) + +(define php-fpm-shepherd-service + (match-lambda + (($ php socket user group socket-user socket-group + pid-file log-file pm display-errors workers-log-file file) + (list (shepherd-service + (provision '(php-fpm)) + (documentation "Run the php-fpm daemon.") + (requirement '(networking)) + (start #~(make-forkexec-constructor + '(#$(file-append php "/sbin/php-fpm") + "--fpm-config" + #$(or file + (default-php-fpm-config socket user group + socket-user socket-group pid-file log-file + pm display-errors workers-log-file))) + #:pid-file #$pid-file)) + (stop #~(make-kill-destructor))))))) + +(define php-fpm-activation + (match-lambda + (($ _ _ user _ _ _ _ log-file _ _ workers-log-file _) + #~(begin + (use-modules (guix build utils)) + (let* ((user (getpwnam #$user)) + (touch (lambda (file-name) + (call-with-output-file file-name (const #t)))) + (init-log-file + (lambda (file-name) + (when #$workers-log-file + (when (not (file-exists? file-name)) + (touch file-name)) + (chown file-name (passwd:uid user) (passwd:gid user)) + (chmod file-name #o660))))) + (init-log-file #$log-file) + (init-log-file #$workers-log-file)))))) + + +(define php-fpm-service-type + (service-type + (name 'php-fpm) + (description + "Run @command{php-fpm} to provide a fastcgi socket for calling php through +a webserver.") + (extensions + (list (service-extension shepherd-root-service-type + php-fpm-shepherd-service) + (service-extension activation-service-type + php-fpm-activation) + (service-extension account-service-type + php-fpm-accounts))) + (default-value (php-fpm-configuration)))) + +(define* (nginx-php-location + #:key + (nginx-package nginx) + (socket (string-append "/var/run/php" + (version-major (package-version php)) + "-fpm.sock"))) + "Return a nginx-location-configuration that makes nginx run .php files." + (nginx-location-configuration + (uri "~ \\.php$") + (body (list + "fastcgi_split_path_info ^(.+\\.php)(/.+)$;" + (string-append "fastcgi_pass unix:" socket ";") + "fastcgi_index index.php;" + (list "include " nginx-package "/share/nginx/conf/fastcgi.conf;"))))) diff --git a/gnu/tests/web.scm b/gnu/tests/web.scm index de7ab3cd65..e975cb8300 100644 --- a/gnu/tests/web.scm +++ b/gnu/tests/web.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2017 Ludovic Courtès +;;; Copyright © 2017 Christopher Baines ;;; ;;; This file is part of GNU Guix. ;;; @@ -27,7 +28,8 @@ (define-module (gnu tests web) #:use-module (gnu services networking) #:use-module (guix gexp) #:use-module (guix store) - #:export (%test-nginx)) + #:export (%test-nginx + %test-php-fpm)) (define %index.html-contents ;; Contents of the /index.html file served by nginx. @@ -129,3 +131,122 @@ (define %test-nginx (name "nginx") (description "Connect to a running NGINX server.") (value (run-nginx-test)))) + + +;;; +;;; PHP-FPM +;;; + +(define %make-php-fpm-http-root + ;; Create our server root in /srv. + #~(begin + (mkdir "/srv") + (call-with-output-file "/srv/index.php" + (lambda (port) + (display "\n" port))))) + +(define %php-fpm-nginx-server-blocks + (list (nginx-server-configuration + (root "/srv") + (locations + (list (nginx-php-location))) + (http-port 8042) + (https-port #f) + (ssl-certificate #f) + (ssl-certificate-key #f)))) + +(define %php-fpm-os + ;; Operating system under test. + (simple-operating-system + (dhcp-client-service) + (service php-fpm-service-type) + (service nginx-service-type + (nginx-configuration + (server-blocks %php-fpm-nginx-server-blocks))) + (simple-service 'make-http-root activation-service-type + %make-php-fpm-http-root))) + +(define* (run-php-fpm-test #:optional (http-port 8042)) + "Run tests in %PHP-FPM-OS, which has nginx running and listening on +HTTP-PORT, along with php-fpm." + (define os + (marionette-operating-system + %php-fpm-os + #:imported-modules '((gnu services herd) + (guix combinators)))) + + (define vm + (virtual-machine + (operating-system os) + (port-forwardings `((8080 . ,http-port))))) + + (define test + (with-imported-modules '((gnu build marionette) + (guix build utils)) + #~(begin + (use-modules (srfi srfi-11) (srfi srfi-64) + (gnu build marionette) + (web uri) + (web client) + (web response)) + + (define marionette + (make-marionette (list #$vm))) + + (mkdir #$output) + (chdir #$output) + + (test-begin "php-fpm") + + (test-assert "php-fpm running" + (marionette-eval + '(begin + (use-modules (gnu services herd)) + (match (start-service 'php-fpm) + (#f #f) + (('service response-parts ...) + (match (assq-ref response-parts 'running) + ((pid) (number? pid)))))) + marionette)) + + (test-eq "nginx running" + 'running! + (marionette-eval + '(begin + (use-modules (gnu services herd)) + (start-service 'nginx) + 'running!) + marionette)) + + (test-equal "http-get" + 200 + (let-values (((response text) + (http-get "http://localhost:8080/index.php" + #:decode-body? #t))) + (response-code response))) + + (test-equal "php computed result is sent" + "Computed by php:5" + (let-values (((response text) + (http-get "http://localhost:8080/index.php" + #:decode-body? #t))) + (begin + (use-modules (ice-9 regex)) + (let ((matches (string-match "Computed by php:5" text))) + (and matches + (match:substring matches 0)))))) + + (test-end) + + (exit (= (test-runner-fail-count (test-runner-current)) 0))))) + + (gexp->derivation "php-fpm-test" test)) + +(define %test-php-fpm + (system-test + (name "php-fpm") + (description "Test PHP-FPM through nginx.") + (value (run-php-fpm-test)))) -- cgit v1.2.3 From 8b223ceac4ff0781e95d69362875f87cff03f4d6 Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Sat, 9 Dec 2017 12:59:12 +0100 Subject: services: nginx: Replace 'http-port' and 'https-port' with 'listen'. * doc/guix.texi (Web Services, Version Control Services): Update accordingly. * gnu/services/certbot.scm (certbot-nginx-server-configurations): Likewise. * gnu/services/version-control.scm (%cgit-configuration-nginx): Likewise. * gnu/services/web.scm (, emit-nginx-server-config): Likewise. * gnu/tests/version-control.scm (%cgit-configuration-nginx, %git-nginx-configuration): Likewise. * gnu/tests/web.scm (%nginx-servers, %php-fpm-nginx-server-blocks): Likewise. --- doc/guix.texi | 20 +++++++++----------- gnu/services/certbot.scm | 4 ++-- gnu/services/version-control.scm | 3 ++- gnu/services/web.scm | 16 ++++++---------- gnu/tests/version-control.scm | 7 +++---- gnu/tests/web.scm | 6 +++--- 6 files changed, 25 insertions(+), 31 deletions(-) (limited to 'gnu/services/web.scm') diff --git a/doc/guix.texi b/doc/guix.texi index 242e54fd15..e44478cbf4 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -14938,17 +14938,15 @@ Data type representing the configuration of an nginx server block. This type has the following parameters: @table @asis -@item @code{http-port} (default: @code{80}) -Nginx will listen for HTTP connection on this port. Set it at @code{#f} if -nginx should not listen for HTTP (non secure) connection for this -@dfn{server block}. +@item @code{listen} (default: @code{'("80" "443 ssl")}) +Each @code{listen} directive sets the address and port for IP, or the +path for a UNIX-domain socket on which the server will accept requests. +Both address and port, or only address or only port can be specified. +An address may also be a hostname, for example: -@item @code{https-port} (default: @code{443}) -Nginx will listen for HTTPS connection on this port. Set it at @code{#f} if -nginx should not listen for HTTPS (secure) connection for this @dfn{server block}. - -Note that nginx can listen for HTTP and HTTPS connections in the same -@dfn{server block}. +@example +'("127.0.0.1:8000" "127.0.0.1" "8000" "*:8000" "localhost:8000") +@end example @item @code{server-name} (default: @code{(list 'default)}) A list of server names this server represents. @code{'default} represents the @@ -17689,7 +17687,7 @@ serve the default @file{/srv/git} over HTTPS might be: (server-blocks (list (nginx-server-configuration - (http-port #f) + (listen '("443 ssl")) (server-name "git.my-host.org") (ssl-certificate "/etc/letsencrypt/live/git.my-host.org/fullchain.pem") diff --git a/gnu/services/certbot.scm b/gnu/services/certbot.scm index 0d72a4b700..8aac2638b3 100644 --- a/gnu/services/certbot.scm +++ b/gnu/services/certbot.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2016 ng0 ;;; Copyright © 2016 Sou Bunnbu +;;; Copyright © 2017 Clément Lassieur ;;; ;;; This file is part of GNU Guix. ;;; @@ -97,8 +98,7 @@ (define certbot-nginx-server-configurations (map (lambda (host) (nginx-server-configuration - (http-port 80) - (https-port #f) + (listen '("80")) (ssl-certificate #f) (ssl-certificate-key #f) (server-name (list host)) diff --git a/gnu/services/version-control.scm b/gnu/services/version-control.scm index fce2ce1c25..6bf656949a 100644 --- a/gnu/services/version-control.scm +++ b/gnu/services/version-control.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2016 ng0 ;;; Copyright © 2016 Sou Bunnbu ;;; Copyright © 2017 Oleg Pykhalov +;;; Copyright © 2017 Clément Lassieur ;;; ;;; This file is part of GNU Guix. ;;; @@ -231,7 +232,7 @@ (define %cgit-configuration-nginx "fastcgi_param HTTP_HOST $server_name;" "fastcgi_pass 127.0.0.1:9000;"))))) (try-files (list "$uri" "@cgit")) - (https-port #f) + (listen '("80")) (ssl-certificate #f) (ssl-certificate-key #f)))) diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 582cf535cb..8a16f50de4 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -5,6 +5,7 @@ ;;; Copyright © 2016, 2017 Julien Lepiller ;;; Copyright © 2017 Christopher Baines ;;; Copyright © 2017 nee +;;; Copyright © 2017 Clément Lassieur ;;; ;;; This file is part of GNU Guix. ;;; @@ -49,8 +50,7 @@ (define-module (gnu services web) nginx-server-configuration nginx-server-configuration? - nginx-server-configuration-http-port - nginx-server-configuartion-https-port + nginx-server-configuration-listen nginx-server-configuration-server-name nginx-server-configuration-root nginx-server-configuration-locations @@ -135,10 +135,8 @@ (define-module (gnu services web) (define-record-type* nginx-server-configuration make-nginx-server-configuration nginx-server-configuration? - (http-port nginx-server-configuration-http-port - (default 80)) - (https-port nginx-server-configuration-https-port - (default 443)) + (listen nginx-server-configuration-listen + (default '("80" "443 ssl"))) (server-name nginx-server-configuration-server-name (default (list 'default))) (root nginx-server-configuration-root @@ -225,8 +223,7 @@ (define emit-nginx-location-config " }\n")))) (define (emit-nginx-server-config server) - (let ((http-port (nginx-server-configuration-http-port server)) - (https-port (nginx-server-configuration-https-port server)) + (let ((listen (nginx-server-configuration-listen server)) (server-name (nginx-server-configuration-server-name server)) (ssl-certificate (nginx-server-configuration-ssl-certificate server)) (ssl-certificate-key @@ -245,8 +242,7 @@ (define-syntax-rule (and/l x tail ...) '()))) (list " server {\n" - (and/l http-port " listen " (number->string <>) ";\n") - (and/l https-port " listen " (number->string <>) " ssl;\n") + (map (lambda (directive) (list " listen " directive ";\n")) listen) " server_name " (config-domain-strings server-name) ";\n" (and/l ssl-certificate " ssl_certificate " <> ";\n") (and/l ssl-certificate-key " ssl_certificate_key " <> ";\n") diff --git a/gnu/tests/version-control.scm b/gnu/tests/version-control.scm index 2cbacf0ef9..7367861b05 100644 --- a/gnu/tests/version-control.scm +++ b/gnu/tests/version-control.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2017 Oleg Pykhalov ;;; Copyright © 2017 Ludovic Courtès +;;; Copyright © 2017 Clément Lassieur ;;; ;;; This file is part of GNU Guix. ;;; @@ -78,8 +79,7 @@ (define %cgit-configuration-nginx "fastcgi_param HTTP_HOST $server_name;" "fastcgi_pass 127.0.0.1:9000;"))))) (try-files (list "$uri" "@cgit")) - (http-port 19418) - (https-port #f) + (listen '("19418")) (ssl-certificate #f) (ssl-certificate-key #f)))) @@ -211,8 +211,7 @@ (define %git-nginx-configuration (server-blocks (list (nginx-server-configuration - (http-port 19418) - (https-port #f) + (listen '("19418")) (ssl-certificate #f) (ssl-certificate-key #f) (locations diff --git a/gnu/tests/web.scm b/gnu/tests/web.scm index e975cb8300..f1214fb5fd 100644 --- a/gnu/tests/web.scm +++ b/gnu/tests/web.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2017 Ludovic Courtès ;;; Copyright © 2017 Christopher Baines +;;; Copyright © 2017 Clément Lassieur ;;; ;;; This file is part of GNU Guix. ;;; @@ -47,7 +48,7 @@ (define %nginx-servers ;; Server blocks. (list (nginx-server-configuration (root "/srv") - (http-port 8042)))) + (listen '("8042" "443 ssl"))))) (define %nginx-os ;; Operating system under test. @@ -153,8 +154,7 @@ (define %php-fpm-nginx-server-blocks (root "/srv") (locations (list (nginx-php-location))) - (http-port 8042) - (https-port #f) + (listen "8042") (ssl-certificate #f) (ssl-certificate-key #f)))) -- cgit v1.2.3 From b05e8ee1205bc10f2ab33045f257170d4ce1999b Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Sat, 9 Dec 2017 22:47:53 +0100 Subject: services: nginx: Allow to add raw content to the server blocks. * doc/guix.texi (Web Services): Document 'raw-content'. * gnu/services/web.scm ()[raw-content]: New field. (emit-nginx-server-config): Add it. --- doc/guix.texi | 3 +++ gnu/services/web.scm | 9 +++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) (limited to 'gnu/services/web.scm') diff --git a/doc/guix.texi b/doc/guix.texi index e44478cbf4..68f3a88781 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -14979,6 +14979,9 @@ you don't have a key or you don't want to use HTTPS. @item @code{server-tokens?} (default: @code{#f}) Whether the server should add its configuration to response. +@item @code{raw-content} (default: @code{'()}) +A list of raw lines added to the server block. + @end table @end deftp diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 8a16f50de4..2371ddb6d0 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -58,6 +58,7 @@ (define-module (gnu services web) nginx-server-configuration-ssl-certificate nginx-server-configuration-ssl-certificate-key nginx-server-configuration-server-tokens? + nginx-server-configuration-raw-content nginx-upstream-configuration @@ -152,7 +153,9 @@ (define-record-type* (ssl-certificate-key nginx-server-configuration-ssl-certificate-key (default #f)) (server-tokens? nginx-server-configuration-server-tokens? - (default #f))) + (default #f)) + (raw-content nginx-server-configuration-raw-content + (default '()))) (define-record-type* nginx-upstream-configuration make-nginx-upstream-configuration @@ -232,7 +235,8 @@ (define (emit-nginx-server-config server) (index (nginx-server-configuration-index server)) (try-files (nginx-server-configuration-try-files server)) (server-tokens? (nginx-server-configuration-server-tokens? server)) - (locations (nginx-server-configuration-locations server))) + (locations (nginx-server-configuration-locations server)) + (raw-content (nginx-server-configuration-raw-content server))) (define-syntax-parameter <> (syntax-rules ())) (define-syntax-rule (and/l x tail ...) (let ((x* x)) @@ -255,6 +259,7 @@ (define-syntax-rule (and/l x tail ...) "\n" (map emit-nginx-location-config locations) "\n" + (map (lambda (x) (list " " x "\n")) raw-content) " }\n"))) (define (emit-nginx-upstream-config upstream) -- cgit v1.2.3