feat(roles/php): allow for PHP-FPM pools to be configured individually.

CHANGELOG.md

@@ -15,12 +15,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Breaking Changes
 
+* **role:php**: The PHP-FPM pool config changed for existing hosts. Sessions now live in a per-pool directory (the default `www` pool moves from `/var/lib/php/session` to `/var/lib/php/session/www`), so logged-in users are signed out once after the upgrade. `memory_limit`, `max_execution_time`, `max_input_vars`, `post_max_size`, `upload_max_filesize` and `session.save_path` are now enforced as `php_admin_value`, so applications can no longer raise them at runtime via `ini_set()`. The FPM status path moved from `/fpm-status` to `/www-fpm-status`, and `soap.wsdl_cache_dir` is no longer set (PHP default applies). Worker processes now recycle after 500 requests (`pm.max_requests`), where previously they ran indefinitely.
 * **role:apache_httpd, role:apache_tomcat, role:mastodon, role:postgresql_server**: Rename tags to the project-wide naming scheme. `apache_httpd:config` becomes `apache_httpd:configure`, and `apache_tomcat:users`, `mastodon:users`, `postgresql_server:users` and `postgresql_server:databases` lose their trailing `s` (`...:user`, `...:database`). Adjust any `--tags` / `--skip-tags` invocations and automation that reference the old tag names.
 * **role:minio_client, role:objectstore_backup**: Both roles and their playbooks (`playbooks/minio_client.yml`, `playbooks/objectstore_backup.yml`) have been removed, along with the corresponding role blocks in `playbooks/setup_nextcloud.yml` and the `setup_nextcloud__skip_minio_client` / `setup_nextcloud__skip_objectstore_backup` variables. MinIO Server has been archived as no-longer-maintained since February 2026, and we are moving away from using object storage for critical data. Users relying on these roles must replace the MinIO-based object-store backup with their own solution (e.g. `rclone`); the `mc` binary, its config under `/etc/mc/`, the `objectstore-backup` systemd timer/service, and `/usr/local/bin/mc-mirror.sh` are no longer managed by lfops and will remain on existing hosts until removed manually ([#241](https://github.com/Linuxfabrik/lfops/issues/241)).
 * **role:infomaniak_vm**: Always create a managed port for every entry in `infomaniak_vm__networks`, even when no `fixed_ip` is set. Previously only networks with a `fixed_ip` got a managed port; networks without one relied on OpenStack's auto-created port. To avoid creating unused (but billed) managed ports on VMs provisioned under the old behavior, make sure to manually rename the existing port in OpenStack to match the `port_name`. Note that this port will not survive VM deletion / detachment, since it was automatically created and therefore is owned by OpenStack, not the user.
 
 ### Added
 
+* **role:php**: PHP-FPM pools are now fully configurable, each with its own user/group, process-manager tuning, timeouts and `php_admin_value` overrides. Every pool gets its own isolated session directory (created automatically, with correct ownership and SELinux labeling on RedHat).
 * **testing**: Add a Molecule-based test framework that runs the playbooks (and through them the roles) against throwaway libvirt/KVM VMs or Podman containers. Scenarios live under `extensions/molecule`; see the Testing section in `CONTRIBUTING.md`.
 * **role:icinga2_master, role:icingadb, role:icingaweb2, role:icingaweb2_module_reporting, role:icingaweb2_module_x509**: Add explicit Ubuntu variable files, making Ubuntu support visible alongside Debian. The Icinga repository, GPG key and package names were verified on Debian 13 and Ubuntu 24.04.
 * **role:nextcloud**: Add `meta/argument_specs.yml` declaring the user-facing variables, so role-entry validation catches type mismatches and missing mandatory variables.

playbooks/php.yml

@@ -29,6 +29,10 @@
         - 'ansible_facts["os_family"] == "RedHat"'
         - 'not php__skip_repo_remi | default(false)'
 
+    - role: 'linuxfabrik.lfops.repo_sury'
+      when:
+        - 'ansible_facts["os_family"] == "Debian"'
+
     - role: 'linuxfabrik.lfops.php'
 
 

roles/duplicity/README.md

@@ -1,4 +1,4 @@
-# Ansible Role linuxfabrik.lfops.duplicity
+s# Ansible Role linuxfabrik.lfops.duplicity
 
 This role configures *daily file-based* backups using [duplicity](https://duplicity.gitlab.io/). Currently, this role is focused on using [OpenStack Object Storage ("Swift")](https://wiki.openstack.org/wiki/Swift) as the storage backend.
 

roles/influxdb/README.md

@@ -5,6 +5,7 @@ This role installs and configures [InfluxDB](https://www.influxdata.com/products
 
 *Available since LFOps `2.0.0`.*
 
+## Dependent Roles
 
 ## Dependent Roles
 

roles/php/README.md

@@ -2,7 +2,7 @@
 
 This role installs and configures PHP (and PHP-FPM) on the system, optionally with additional modules.
 
-Note that this role does NOT let you specify a particular PHP version. It simply installs the latest available PHP version from the repos configured in the system. If you want or need to install a specific or the latest PHP version available, use the [linuxfabrik.lfops.repo_remi](https://github.com/Linuxfabrik/lfops/tree/main/roles/repo_remi) beforehand.
+Note that this role does NOT let you specify a particular PHP version. It simply installs the latest available PHP version from the repos configured in the system. If you want or need to install a specific or the latest PHP version available, use the [linuxfabrik.lfops.repo_remi](https://github.com/Linuxfabrik/lfops/tree/main/roles/repo_remi) (Red Hat family) or [linuxfabrik.lfops.repo_sury](https://github.com/Linuxfabrik/lfops/tree/main/roles/repo_sury) (Debian family) beforehand.
 
 This role is compatible with the following PHP versions:
 
@@ -33,7 +33,8 @@ This role never exposes to the world that PHP is installed on the server, no mat
 
 Any [LFOps playbook](https://github.com/Linuxfabrik/lfops/blob/main/playbooks/README.md) that installs this role runs these for you. Optional ones can be disabled via the playbook's skip variables.
 
-* Optional: [Remi's RPM repository](https://rpms.remirepo.net/) (role: [linuxfabrik.lfops.repo_remi](https://github.com/Linuxfabrik/lfops/tree/main/roles/repo_remi)) provides newer PHP versions.
+* Optional: [Remi's RPM repository](https://rpms.remirepo.net/) (role: [linuxfabrik.lfops.repo_remi](https://github.com/Linuxfabrik/lfops/tree/main/roles/repo_remi)) provides newer PHP versions on the Red Hat family.
+* [Sury repository](https://deb.sury.org/) (role: [linuxfabrik.lfops.repo_sury](https://github.com/Linuxfabrik/lfops/tree/main/roles/repo_sury)) provides newer PHP versions on the Debian family.
 
 
 ## Tags
@@ -45,23 +46,27 @@ Any [LFOps playbook](https://github.com/Linuxfabrik/lfops/blob/main/playbooks/RE
 * Ensure PHP modules are absent.
 * Ensure PHP modules are present.
 * Get PHP version.
-* Load default values for `{{ php__installed_version }}`.
+* Load default values for `{{ __php__installed_version }}`.
 * Deploy the /etc/php.d/z00-linuxfabrik.ini.
 * `systemctl {{ php__fpm_service_enabled | bool | ternary("enable", "disable") }} --now php-fpm`.
+* Ensure the shared opcache directory exists.
+* Create the per-pool session directories.
 * Remove absent pools from `/etc/php-fpm.d`.
 * Deploy the pools to `/etc/php-fpm.d/`.
 * Triggers: php-fpm.service restart.
 
 `php:fpm`
 
+* Ensure the shared opcache directory exists.
+* Create the per-pool session directories.
 * Remove absent pools from /etc/php-fpm.d.
 * Deploy the pools to /etc/php-fpm.d/.
 * Triggers: php-fpm.service restart.
 
 `php:ini`
 
 * Get PHP version.
-* Load default values for `{{ php__installed_version }}`.
+* Load default values for `{{ __php__installed_version }}`.
 * Deploy the `/etc/php.d/z00-linuxfabrik.ini`.
 * Triggers: php-fpm.service restart.
 
@@ -86,42 +91,6 @@ Any [LFOps playbook](https://github.com/Linuxfabrik/lfops/blob/main/playbooks/RE
 * Type: Bool.
 * Default: `true`
 
-`php__fpm_pools__host_var` / `php__fpm_pools__group_var`
-
-* List of dictionaries containing PHP-FPM pools.
-* For the usage in `host_vars` / `group_vars` (can only be used in one group at a time).
-* Type: List of dictionaries.
-* Default: `[]`
-* Subkeys:
-
-    * `name`:
-
-        * Mandatory. The name of the pool. Will also be used as the filename and for logfiles.
-        * Type: String.
-
-    * `state`:
-
-        * Optional. State of the pool. Possible options: `absent`, `present`.
-        * Type: String.
-        * Default: `'present'`
-
-    * `user`:
-
-        * Optional. The Unix user running the pool processes.
-        * Type: String.
-        * Default: `'apache'`
-
-    * `group`:
-
-        * Optional. The Unix group running the pool processes.
-        * Type: String.
-        * Default: `'apache'`
-
-    * `raw`:
-
-        * Optional. Raw content which will be added to the end of the pool config.
-        * Type: String.
-
 `php__modules__host_var` / `php__modules__group_var`
 
 * List of dictionaries containing additional PHP modules that should be installed via the standard package manager.
@@ -189,7 +158,7 @@ Variables for `php.ini` directives and their default values, defined and support
 
 * Set the error reporting level. [php.net](https://www.php.net/manual/en/errorfunc.configuration.php)
 * Type: String.
-* Default: `'E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT'`
+* Default: 7.2 - 8.4: `'E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT'`, 8.5: `'E_ALL & ~E_NOTICE & ~E_DEPRECATED'` (`E_STRICT` is deprecated as of PHP 8.4)
 
 `php__ini_max_execution_time__group_var` / `php__ini_max_execution_time__host_var`
 
@@ -309,7 +278,7 @@ Variables for `php.ini` directives and their default values, defined and support
 
 * [php.net](https://www.php.net/manual/en/session.configuration.php)
 * Type: Number.
-* Default: `32`
+* Default: 7.2 - 8.4: `32`. Not managed on 8.5, where PHP's built-in default applies.
 
 `php__ini_session_trans_sid_tags__group_var` / `php__ini_session_trans_sid_tags__host_var`
 
@@ -343,7 +312,11 @@ php__ini_upload_max_filesize__host_var: '10000M'
 
 ## Optional Role Variables - PHP-FPM Pool Config Directives
 
-Variables for `php.ini` directives and their default values, defined and supported by this role.
+Variables for PHP-FPM Pool Config directives and their default values, defined and supported by this role.
+
+For every pool the role creates a dedicated session directory below the distribution's session base (`/var/lib/php/session` on RedHat, `/var/lib/php/sessions` on Debian) and a single shared opcache directory (`/var/lib/php/opcache`). On Debian, stale session files are reaped by the packaged `sessionclean` timer, which recurses the session base using the global `session.gc_maxlifetime`. A per-pool `session.gc_maxlifetime` is therefore not honored by the cleanup on Debian, and a session that stays open but idle longer than the lifetime may be removed.
+
+Each pool listens on its own Unix socket below the FPM runtime directory (`/run/php-fpm/{{ item["name"] }}.sock` on RedHat, `/run/php/{{ item["name"] }}.sock` on Debian). On Debian, the packaged php-fpm systemd unit additionally maintains a version-agnostic `update-alternatives` alias at `/run/php/php-fpm.sock` that points at the socket of the default `www` pool. This alias only ever tracks `www`, not the pools created by this role, so configure your web server with the explicit per-pool socket path rather than the generic `/run/php/php-fpm.sock`. RedHat ships no such alias.
 
 `php__fpm_pool_conf_pm__group_var` / `php__fpm_pool_conf_pm__host_var`
 
@@ -387,47 +360,179 @@ Variables for `php.ini` directives and their default values, defined and support
 * Type: Number.
 * Default: `0`
 
-`php__fpm_pools__group_var` / `php__fpm_pools__host_var`
+`php__fpm_pools__host_var` / `php__fpm_pools__group_var`
 
-* List defining pool configuration.
+* List of dictionaries containing PHP-FPM pools.
+* For the usage in `host_vars` / `group_vars` (can only be used in one group at a time).
 * Type: List of dictionaries.
-* Default: `name: 'www'` `user: 'apache'` `group: 'apache'`
+* Default: One pool named `www`.
 * Subkeys:
 
     * `name`:
 
-        * Mandatory. Pool name.
+        * Mandatory. The name of the pool. Will also be used as the filename and for logfiles.
         * Type: String.
 
+    * `state`:
+
+        * Optional. State of the pool. Possible options: `absent`, `present`.
+        * Type: String.
+        * Default: `'present'`
+
     * `user`:
 
-        * Optional. The Unix user running the pool processes.
+        * Optional. The Unix user running the pool processes. [php.net](https://www.php.net/install.fpm.configuration.php#user)
         * Type: String.
+        * Default: `'apache'` (RedHat), `www-data` (Debian)
 
     * `group`:
 
-        * Optional. The Unix group running the pool processes.
+        * Optional. The Unix group running the pool processes. [php.net](https://www.php.net/install.fpm.configuration.php#group)
+        * Type: String.
+        * Default: `'apache'` (RedHat), `www-data` (Debian)
+
+    * `pm`:
+
+        * Optional. Choose how the process manager will control the number of child processes. [php.net](https://www.php.net/install.fpm.configuration.php#pm)
+        * Type: String.
+        * Default: `{{ php__fpm_pool_conf_pm__combined_var }}` (which defaults to `'dynamic'`)
+
+    * `pm_max_children`:
+
+        * Optional. The number of child processes to be created when pm is set to `'static'` and the maximum number of child processes when pm is set to `'dynamic'` or `'ondemand'`. [php.net](https://www.php.net/install.fpm.configuration.php#pm.max-children)
+        * Type: Number.
+        * Default: `{{ php__fpm_pool_conf_pm_max_children__combined_var }}` (which defaults to `50`)
+
+    * `pm_start_servers`:
+
+        * Optional. The number of child processes created on startup. Must be greater than `pm_min_spare_servers` but less than `pm_max_spare_servers`. Used only when `pm` is set to `'dynamic`'. [php.net](https://www.php.net/install.fpm.configuration.php#pm.start-servers)
+        * Type: Number.
+        * Default: `{{ php__fpm_pool_conf_pm_start_servers__combined_var }}` (which defaults to `5`)
+
+    * `pm_min_spare_servers`:
+
+        * Optional. The desired minimum number of idle server processes. Used only when `pm` is set to `'dynamic'`. [php.net](https://www.php.net/install.fpm.configuration.php#pm.min-spare-servers)
+        * Type: Number.
+        * Default: `{{ php__fpm_pool_conf_pm_min_spare_servers__combined_var }}` (which defaults to `5`)
+
+    * `pm_max_spare_servers`:
+
+        * Optional. The desired maximum number of idle server processes. Used only when `pm` is set to `'dynamic'`. [php.net](https://www.php.net/install.fpm.configuration.php#pm.max-spare-servers)
+        * Type: Number.
+        * Default: `{{ php__fpm_pool_conf_pm_max_spare_servers__combined_var }}` (which defaults to `35`)
+
+    * `pm_max_spawn_rate`:
+
+        * Optional. The number of rate to spawn child processes at once. Used only when `pm` is set to `'dynamic'`. [php.net](https://www.php.net/install.fpm.configuration.php#pm.max-spawn-rate)
+        * Type: Number.
+        * Default: `32`
+
+    * `pm_process_idle_timeout`:
+
+        * Optional. The number of seconds after which an idle process will be killed. Used only when `pm` is set to `'ondemand'`. Available units: s(econds, default), m(inutes), h(ours), or d(ays). [php.net](https://www.php.net/install.fpm.configuration.php#pm.process-idle-timeout)
+        * Type: String.
+        * Default: `'10s'`
+
+    * `pm_max_requests`:
+
+        * Optional. The number of requests each child process should execute before respawning. For endless request processing specify `0`. [php.net](https://www.php.net/install.fpm.configuration.php#pm.max-requests)
+        * Type: Number.
+        * Default: `500`
+
+    * `pm_status_path`:
+
+        * Optional. Path to view FPM status page. [php.net](https://www.php.net/install.fpm.configuration.php#pm.status-path)
+        * Type: String.
+        * Default: `'/{{ item["name"] }}-fpm-status'`
+
+    * `ping_path`:
+
+        * Optional. The ping path to check if FPM is alive and responding. [php.net](https://www.php.net/install.fpm.configuration.php#ping.path)
+        * Type: String.
+        * Default: `'/{{ item["name"] }}-fpm-ping'`
+
+    * `request_slowlog_timeout`:
+
+        * Optional. The timeout for serving a single request after which a PHP backtrace will be dumped to the slowlog file. A value of `0` means off. Available units: s(econds, default), m(inutes), h(ours), or d(ays). [php.net](https://www.php.net/install.fpm.configuration.php#request-slowlog-timeout)
+        * Type: Number.
+        * Default: `{{ php__fpm_pool_conf_request_slowlog_timeout__combined_var }}` (which defaults to `0`)
+
+    * `request_slowlog_trace_depth`:
+
+        * Optional. Depth of slow log stack trace. [php.net](https://www.php.net/install.fpm.configuration.php#request-slowlog-trace-depth)
+        * Type: Number.
+        * Default: `20`
+
+    * `request_terminate_timeout`:
+
+        * Optional. The timeout for serving a single request after which the worker process will be killed. This option should be used when the `max_execution_time` ini option does not stop script execution for some reason. A value of `0` means off. Available units: s(econds, default), m(inutes), h(ours), or d(ays).
+        * [php.net](https://www.php.net/install.fpm.configuration.php#request-terminate-timeout)
+        * Type: Number.
+        * Default: `{{ php__fpm_pool_conf_request_terminate_timeout__combined_var }}` (which defaults to `0`)
+
+    * `php_admin_value_session_save_path`:
+
+        * Optional. The role creates this directory, owned by the pool's `user` / `group` with mode `0700`, so pools cannot read each other's sessions. On RedHat it inherits the `httpd_var_run_t` SELinux type from the session base; if you point it outside the session base, you have to label it yourself. [php.net](https://www.php.net/session.save_path)
+        * Type: String.
+        * Default: `/var/lib/php/session/{{ item["name"] }}` (RedHat), `/var/lib/php/sessions/{{ item["name"] }}` (Debian)
+
+    * `php_admin_value_max_execution_time`:
+
+        * Optional. [php.net](https://www.php.net/max_execution_time)
+        * Type: Number.
+        * Default: `{{ php__ini_max_execution_time__combined_var }}`
+
+    * `php_admin_value_max_input_vars`:
+
+        * Optional. [php.net](https://www.php.net/max_input_vars)
+        * Type: Number.
+        * Default: `{{ php__ini_max_input_vars__combined_var }}`
+
+    * `php_admin_value_memory_limit`:
+
+        * Optional. [php.net](https://www.php.net/memory_limit)
+        * Type: String.
+        * Default: `'{{ php__ini_memory_limit__combined_var }}'`
+
+    * `php_admin_value_open_basedir`:
+
+        * Optional. [php.net](https://www.php.net/open_basedir)
+        * Type: String.
+        * Default: unset
+
+    * `php_admin_value_post_max_size`:
+
+        * Optional. [php.net](https://www.php.net/post_max_size)
+        * Type: String.
+        * Default: `'{{ php__ini_post_max_size__combined_var }}'`
+
+    * `php_admin_value_upload_max_filesize`:
+
+        * Optional. [php.net](https://www.php.net/upload_max_filesize)
         * Type: String.
+        * Default: `'{{ php__ini_upload_max_filesize__combined_var }}'`
 
     * `raw`:
 
         * Optional. Raw content which will be added to the end of the pool config.
         * Type: String.
+        * Default: unset
 
 Example:
 ```yaml
 # optional
-php__fpm_pool_conf_pm__host_var: 'dynamic'
-php__fpm_pool_conf_pm_max_children__host_var: 50
-php__fpm_pool_conf_pm_max_spare_servers__host_var: 35
-php__fpm_pool_conf_pm_min_spare_servers__host_var: 5
-php__fpm_pool_conf_pm_start_servers__host_var: 5
-php__fpm_pool_conf_request_slowlog_timeout__host_var: '10s'
-php__fpm_pool_conf_request_terminate_timeout__host_var: '60s'
 php__fpm_pools__host_var:
   - name: 'librenms'
     user: 'librenms'
     group: 'librenms'
+    pm: 'dynamic'
+    pm_max_children: 50
+    pm_max_spare_servers: 35
+    pm_min_spare_servers: 5
+    pm_start_servers: 5
+    request_slowlog_timeout: '10s'
+    request_terminate_timeout: '60s'
+    php_admin_value_session_save_path: '/var/lib/php/session' # use the shared session dir instead of the per-pool default /var/lib/php/session/librenms
     raw: |-
       env[PATH] = /usr/local/bin:/usr/bin:/bin
 ```