From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id H5wqDyFA0WVvUwEA62LTzQ:P1 (envelope-from ) for ; Sun, 18 Feb 2024 00:24:17 +0100 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id H5wqDyFA0WVvUwEA62LTzQ (envelope-from ) for ; Sun, 18 Feb 2024 00:24:17 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=twilken.net header.s=mythic-beasts-k1 header.b=TAAMHCK4; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1708212257; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=xidxHdDTfqhVuJphOFUKMJod/qxVg20jNVwO4lPm8Pw=; b=kMT1xac+jVA1OfUWsEYtrO93fAfpWTnkJRv6cW3oI7y7lAOUgeZDOL7wckENJr/iMS6UGH 8xqtjT13jFZP3xX2+uFD2WmQfxU7dwCLfzM87W4EZ59rbGA4sct/a4KMmR6o+wwyThxQNK CCUzXCOe9y/0aEbdcZUE1Fryg6B0kRfaTvbRJHs5pI/6j4vwSKfP5wqrcGfH0mgvW1S9a3 +Bwxudst3qKqz6IWXR/zU89QvfoINICRqyIviLU0EJoRvywiwx0Hnu+ubQRmamE6LrvpQ9 pTjlO6obF3ywVHPugvDUbmTZriGvl/fMmN13D5v32zDsL2k7I4F6IkS4UG+3Rg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=twilken.net header.s=mythic-beasts-k1 header.b=TAAMHCK4; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1708212257; a=rsa-sha256; cv=none; b=Yk0nQAvEv5cXHB06iQQwFVCCHaiwdhNE2gc7/OjVZC11BzmevIJK+Ly1/Dxv+q24vCire6 bngSGeeNlnxQaB33XviHrIEaBkxrSLXduaA3DAArN2n2O3VTeOBEOtZlfJCkOMuA08c+kF mGkG+Hu363XMpSIl3We52ImEF041dpKlGbRnyA1XHFK96lpVKnyZR/u++3pzEwEiRapQXI jGrz/jTYkH7PnQKii8NT8WucOAbvt49palMFapNPom6LnEf+3rZIW+j8QEnxlQ0MKjsNWM gwct97wAdTV9JQBA4+nKEuetS4CH+U0JygZ/kyrz+jcaYuFTfC/DrjfkdflQ6g== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B798463371 for ; Sun, 18 Feb 2024 00:24:16 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rbU26-0000rv-DJ; Sat, 17 Feb 2024 18:23:46 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rbU22-0000qn-S6 for guix-patches@gnu.org; Sat, 17 Feb 2024 18:23:42 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rbU22-0001Ih-KF for guix-patches@gnu.org; Sat, 17 Feb 2024 18:23:42 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rbU2M-0007JA-Mw for guix-patches@gnu.org; Sat, 17 Feb 2024 18:24:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#63877] [PATCH 1/2] gnu: services: web: Allow specifying extra php-fpm environment variables. Resent-From: guix@twilken.net Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 17 Feb 2024 23:24:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63877 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: moreinfo patch To: 63877@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= , Bruno Victal , Timo Wilken Received: via spool by 63877-submit@debbugs.gnu.org id=B63877.170821222528050 (code B ref 63877); Sat, 17 Feb 2024 23:24:02 +0000 Received: (at 63877) by debbugs.gnu.org; 17 Feb 2024 23:23:45 +0000 Received: from localhost ([127.0.0.1]:33995 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rbU24-0007IM-SC for submit@debbugs.gnu.org; Sat, 17 Feb 2024 18:23:45 -0500 Received: from mx2.mythic-beasts.com ([46.235.227.24]:33647) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rbU23-0007I7-2n for 63877@debbugs.gnu.org; Sat, 17 Feb 2024 18:23:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=twilken.net ; s=mythic-beasts-k1; h=Date:Subject:To:From; bh=xidxHdDTfqhVuJphOFUKMJod/qxVg20jNVwO4lPm8Pw=; b=TAAMHCK4lAPoWzOyFrep//ftrV 7fM7+/2r/0YzTI1yKojxuerm2+kSdrXjLf9MuOC9QA5sTbPKBSEeP1HB7ZbKeACJZ/UqF+B34X8xN gRg8xTyCH08p9CkeZHiPG3uAH9VjInn4dZnggmEcvmDw8gXh4D5VFSyqDWCQaCTBph8cQViDzcidy bnIEQaSNnk4r3lO0TQIDcdfYDWljvI76B6InSOaH9raPBjXqhIVtuutzUejRSw8t3iFRpoVwMzLFm Z5uC7FtaniQ3f801/uY08d3Jj+drifuL1hP/llCXG+BL6pPJwzSjVLnoYuQbHn6f9cjFZB+jouOOQ WiC1++ww==; Received: by mailhub-hex-d.mythic-beasts.com with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rbU1c-00BbpP-PF; Sat, 17 Feb 2024 23:23:17 +0000 From: guix@twilken.net Date: Sun, 18 Feb 2024 00:21:46 +0100 Message-ID: <20240217232151.12507-3-guix@twilken.net> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240217232151.12507-1-guix@twilken.net> References: <7be3201e-af9b-4ad0-81d6-44ab316d2162@makinata.eu> <20240217232151.12507-1-guix@twilken.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BlackCat-Spam-Score: 9 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -1.47 X-Spam-Score: -1.47 X-Migadu-Queue-Id: B798463371 X-Migadu-Scanner: mx13.migadu.com X-TUID: VE/tUkY/QBOd From: Timo Wilken Some PHP programs, like Nextcloud, make HTTPS requests to other servers. For this, they need to know where the system CA certificates are, so SSL_CERT_DIR needs to be set. This can be accomplished by the user using the new environment-variables field of . This field is empty by default to preserve the existing behaviour of php-fpm. * gnu/services/web.scm (): Add environment-variables field. (php-fpm-shepherd-service): Use the new field. * doc/guix.texi (Web Services): Document the new field. --- doc/guix.texi | 14 ++++++++++++++ gnu/services/web.scm | 32 ++++++++++++++++++++++++++++---- 2 files changed, 42 insertions(+), 4 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 04119a5955..2bb076a8fa 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -124,6 +124,7 @@ Copyright @copyright{} 2023 Thomas Ieong@* Copyright @copyright{} 2023 Saku Laesvuori@* Copyright @copyright{} 2023 Graham James Addis@* Copyright @copyright{} 2023 Tomas Volf@* +Copyright @copyright{} 2024 Timo Wilken@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -32227,6 +32228,19 @@ max_execution_time = 1800")) Consult the @url{https://www.php.net/manual/en/ini.core.php,core php.ini directives} for comprehensive documentation on the acceptable @file{php.ini} directives. +@item @code{environment-variables} (default @code{(list)}) +A list of @code{(variable-name . value)} pairs, representing environment +variable assignments. @code{value} may be a string or a store object, +for example returned by @code{file-append}. These environment variables +are set for the php-fpm process. This can be used to, for example, +point PHP at the CA certificates in the @code{nss-certs} package from +@code{(gnu packages certs)}: +@lisp +(php-fpm-configuration + ;; @dots{} + (environment-variables + `(("SSL_CERT_DIR" . ,(file-append nss-certs "/etc/ssl/certs"))))) +@end lisp @end table @end deftp diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 05fd71f994..5fd09c8945 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -16,6 +16,7 @@ ;;; Copyright © 2020, 2021 Alexandru-Sergiu Marton ;;; Copyright © 2022 Simen Endsjø ;;; Copyright © 2023 Bruno Victal +;;; Copyright © 2024 Timo Wilken ;;; ;;; This file is part of GNU Guix. ;;; @@ -974,7 +975,9 @@ (define-record-type* php-fpm-configuration (file php-fpm-configuration-file ;#f | file-like (default #f)) (php-ini-file php-fpm-configuration-php-ini-file ;#f | file-like - (default #f))) + (default #f)) + (environment-variables php-fpm-configuration-environment-variables ;list of pairs of file-like + (default '()))) (define-record-type* php-fpm-dynamic-process-manager-configuration @@ -1024,7 +1027,8 @@ (define php-fpm-accounts (shell (file-append shadow "/sbin/nologin"))))))) (define (default-php-fpm-config socket user group socket-user socket-group - pid-file log-file pm display-errors timezone workers-log-file) + pid-file log-file pm display-errors timezone workers-log-file + environment-variables) (apply mixed-text-file "php-fpm.conf" (flatten "[global]\n" @@ -1068,6 +1072,10 @@ (define (default-php-fpm-config socket user group socket-user socket-group "pm.max_children =" (number->string pm.max-children) "\n" "pm.process_idle_timeout =" (number->string pm.process-idle-timeout) "s\n"))) + (map (lambda (variable) + ;; PHP-FPM will interpolate $VARIABLES from the outside environment. + (list "env[" variable "] = $" variable "\n")) + (map car environment-variables)) "php_flag[display_errors] = " (if display-errors "on" "off") "\n" @@ -1081,7 +1089,8 @@ (define php-fpm-shepherd-service (match-lambda (($ php socket user group socket-user socket-group pid-file log-file pm display-errors - timezone workers-log-file file php-ini-file) + timezone workers-log-file file php-ini-file + environment-variables) (list (shepherd-service (provision '(php-fpm)) (documentation "Run the php-fpm daemon.") @@ -1092,10 +1101,25 @@ (define php-fpm-shepherd-service #$(or file (default-php-fpm-config socket user group socket-user socket-group pid-file log-file - pm display-errors timezone workers-log-file)) + pm display-errors timezone workers-log-file + environment-variables)) #$@(if php-ini-file `("-c" ,php-ini-file) '())) + ;; Environment variables must be explicitly passed + ;; through in PHP-FPM's configuration. However, we + ;; can't just set them there, since libraries loaded by + ;; PHP (e.g. libcurl) will not see them if they are only + ;; set there. For those libraries, the variables also + ;; need to be present in the "outer" environment, so set + ;; them here as well. + #:environment-variables + (cons* + #$@(map (match-lambda + ((variable . value) + #~(string-append #$variable "=" #$value))) + environment-variables) + (default-environment-variables)) #:pid-file #$pid-file)) (stop #~(make-kill-destructor))))))) -- 2.41.0