Document updated per-app PHP-FPM pool and filesystem permissions
Updates SERVER.md with deploy-dvla user separation, dedicated php8.4-fpm-dvla pool configuration, explicit directory permissions for Laravel storage/cache/database, and known production gaps
This commit is contained in:
34
SERVER.md
34
SERVER.md
@@ -12,16 +12,34 @@ you change the box.
|
|||||||
- **Hostname:** ubuntu-4gb-dvla-api
|
- **Hostname:** ubuntu-4gb-dvla-api
|
||||||
- **Swap:** 2 GB swapfile at `/swapfile` (mounted via `/etc/fstab`)
|
- **Swap:** 2 GB swapfile at `/swapfile` (mounted via `/etc/fstab`)
|
||||||
|
|
||||||
## Users
|
## Users (UPDATED)
|
||||||
|
|
||||||
- `root` — break-glass admin only
|
- deploy (UID 1000) — human admin, sudo, your SSH key
|
||||||
- `deploy` (UID 1000) — owns the app directory, performs deployments
|
- deploy-dvla (UID 1001) — owns and runs dvla-api, no sudo, your SSH key
|
||||||
- `www-data` — nginx + PHP-FPM runtime user; group-shared with `deploy` for file access
|
- www-data — nginx only, no group memberships in app users
|
||||||
|
|
||||||
> **Note:** This box runs **one** app. If a second app is ever added, the
|
## PHP-FPM (UPDATED)
|
||||||
> default PHP-FPM `www` pool MUST be split into per-app pools running as
|
|
||||||
> per-app system users, or the apps will be able to read each other's `.env`
|
- Pool: /etc/php/8.4/fpm/pool.d/dvla-api.conf
|
||||||
> and SQLite files. See the earlier project chats for the multi-app layout.
|
- Runs as deploy-dvla
|
||||||
|
- Socket: /run/php/php8.4-fpm-dvla.sock
|
||||||
|
- pm.max_children = 3
|
||||||
|
- Default www.conf disabled (renamed to www.conf.disabled)
|
||||||
|
|
||||||
|
## Filesystem perms
|
||||||
|
|
||||||
|
- /var/www/dvla-api: 2755 (traversable so nginx can reach public/)
|
||||||
|
- App subdirs: 2750 (deploy-dvla owner+group only)
|
||||||
|
- public/: 755/644 (world-readable, intentional)
|
||||||
|
- .env: 600
|
||||||
|
- storage/, bootstrap/cache/: 2770 (writable by deploy-dvla)
|
||||||
|
- database/: 2770, database.sqlite: 660
|
||||||
|
|
||||||
|
## Known gaps
|
||||||
|
|
||||||
|
- No backups
|
||||||
|
- No HTTPS yet
|
||||||
|
- Token-based git auth (not SSH) — Pangolin doesn't forward SSH to Gitea o
|
||||||
|
|
||||||
## Web stack
|
## Web stack
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user