diff --git a/bundles/nginx/files/fastcgi.conf b/bundles/nginx/files/fastcgi.conf
new file mode 100644
index 0000000..53c0edd
--- /dev/null
+++ b/bundles/nginx/files/fastcgi.conf
@@ -0,0 +1,26 @@
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+fastcgi_param  REDIRECT_STATUS    200;
+
+# This is the only thing that's different to the debian default.
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template
index c38e9b7..1c3e8b5 100644
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@@ -63,13 +63,13 @@ server {
 
 % if php:
     location ~ \.php$ {
-        include fastcgi_params;
+        include fastcgi.conf;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+        fastcgi_pass unix:/run/php/php${php_version}-fpm.sock;
     }
 % endif
 
 % if extras:
-<%include file="extras/${node.name}/${domain}" />
+<%include file="extras/${node.name}/${vhost}" />
 % endif
 }
diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py
index fd95d5c..da3388f 100644
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@@ -15,6 +15,11 @@ files = {
             'svc_systemd:nginx:restart',
         },
     },
+    '/etc/nginx/fastcgi.conf': {
+        'triggers': {
+            'svc_systemd:nginx:restart',
+        },
+    },
     '/etc/nginx/sites/stub_status': {
         'triggers': {
             'svc_systemd:nginx:restart',
@@ -60,6 +65,7 @@ for vhost, config in node.metadata.get('nginx', {}).get('vhosts', {}).items():
         'content_type': 'mako',
         'context': {
             'vhost': vhost,
+            'php_version': node.metadata.get('php', {}).get('version', ''),
             **config,
         },
         'needs': set(),
diff --git a/bundles/php/files/7.4/fpm.conf b/bundles/php/files/7.4/fpm.conf
new file mode 100644
index 0000000..bc745f5
--- /dev/null
+++ b/bundles/php/files/7.4/fpm.conf
@@ -0,0 +1,23 @@
+[global]
+pid=/run/php/php7.4-fpm.pid
+; We're using journal, put logs there
+error_log=/var/log/php7.4-fpm.log
+daemonize=yes
+
+; The one and only worker pool we have
+[www]
+user=www-data
+group=www-data
+listen=/run/php/php7.4-fpm.sock
+listen.owner=www-data
+listen.group=www-data
+listen.mode=0600
+
+; Process Manager Settings
+pm=dynamic
+pm.max_children=${num_cpus*4}
+pm.start_servers=${num_cpus}
+pm.max_spare_servers=${num_cpus*2}
+pm.min_spare_servers=${num_cpus}
+pm.process_idle_timeout=30s
+pm.max_requests=1024
diff --git a/bundles/php/files/7.4/php.ini b/bundles/php/files/7.4/php.ini
new file mode 100644
index 0000000..45b78bf
--- /dev/null
+++ b/bundles/php/files/7.4/php.ini
@@ -0,0 +1,99 @@
+[PHP]
+; Only needed for libapache2-mod-php?
+engine = On
+short_open_tag = Off
+precision = 14
+output_buffering = 4096
+zlib.output_compression = Off
+implicit_flush = Off
+serialize_precision = -1
+disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals
+ignore_user_abort = Off
+zend.enable_gc = On
+expose_php = Off
+
+max_execution_time = 30
+max_input_time = 60
+memory_limit = 256M
+
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+display_startup_errors = Off
+log_errors = On
+log_errors_max_len = 1024
+ignore_repeated_errors = Off
+ignore_repeated_source = Off
+report_memleaks = On
+html_errors = On
+error_log = syslog
+syslog.ident = php7.4
+syslog.filter = ascii
+
+arg_separator.output = "&amp;"
+variables_order = "GPCS"
+request_order = "GP"
+register_argc_argv = Off
+auto_globals_jit = On
+post_max_size = ${post_max_size}M
+default_mimetype = "text/html"
+default_charset = "UTF-8"
+
+enable_dl = Off
+file_uploads = On
+upload_max_filesize = ${post_max_size}M
+max_file_uploads = 20
+
+allow_url_fopen = On
+allow_url_include = Off
+default_socket_timeout = 10
+
+[CLI Server]
+cli_server.color = On
+
+[mail function]
+mail.add_x_header = Off
+
+[ODBC]
+odbc.allow_persistent = On
+odbc.check_persistent = On
+odbc.max_persistent = -1
+odbc.max_links = -1
+odbc.defaultlrl = 4096
+odbc.defaultbinmode = 1
+
+[PostgreSQL]
+pgsql.allow_persistent = On
+pgsql.auto_reset_persistent = Off
+pgsql.max_persistent = -1
+pgsql.max_links = -1
+pgsql.ignore_notice = 0
+pgsql.log_notice = 0
+
+[bcmath]
+bcmath.scale = 0
+
+[Session]
+session.save_handler = files
+session.use_strict_mode = 0
+session.use_cookies = 1
+session.use_only_cookies = 1
+session.name = PHPSESSID
+session.auto_start = 0
+session.cookie_lifetime = 0
+session.cookie_path = /
+session.cookie_domain =
+session.cookie_httponly =
+session.cookie_samesite =
+session.serialize_handler = php
+session.gc_probability = 1
+session.gc_divisor = 1000
+session.gc_maxlifetime = 1440
+session.referer_check =
+session.cache_limiter = nocache
+session.cache_expire = 180
+session.use_trans_sid = 0
+session.sid_length = 32
+session.trans_sid_tags = "a=href,area=href,frame=src,form="
+session.sid_bits_per_character = 6
+
+[Assertion]
+zend.assertions = -1
diff --git a/bundles/php/items.py b/bundles/php/items.py
new file mode 100644
index 0000000..144ccca
--- /dev/null
+++ b/bundles/php/items.py
@@ -0,0 +1,53 @@
+version = node.metadata['php']['version']
+
+files = {
+    f'/etc/php/{version}/fpm/php-fpm.conf': {
+        'source': f'{version}/fpm.conf',
+        'content_type': 'mako',
+        'context': {
+            'num_cpus': node.metadata['vm']['cpu'],
+        },
+        'needs': {
+            # "all php packages"
+            'pkg_apt:'
+        },
+        'triggers': {
+            f'svc_systemd:php{version}-fpm:restart',
+        },
+    },
+    f'/etc/php/{version}/fpm/php.ini': {
+        'source': f'{version}/php.ini',
+        'context': {
+            'num_cpus': node.metadata['vm']['cpu'],
+            'post_max_size': node.metadata['php'].get('post_max_size', 10),
+        },
+        'needs': {
+            # "all php packages"
+            'pkg_apt:'
+        },
+        'triggers': {
+            f'svc_systemd:php{version}-fpm:restart',
+        },
+    },
+    f'/etc/php/{version}/cli/php.ini': {
+        'source': f'{version}/php.ini',
+        'context': {
+            'num_cpus': node.metadata['vm']['cpu'],
+            'post_max_size': node.metadata['php'].get('post_max_size', 10),
+        },
+        'needs': {
+            # "all php packages"
+            'pkg_apt:'
+        },
+    },
+}
+
+svc_systemd = {
+    f'php{version}-fpm': {
+        'needs': {
+            'pkg_apt:',
+            f'file:/etc/php/{version}/fpm/php-fpm.conf',
+            f'file:/etc/php/{version}/fpm/php.ini',
+        },
+    },
+}
diff --git a/bundles/php/metadata.py b/bundles/php/metadata.py
new file mode 100644
index 0000000..c014ffa
--- /dev/null
+++ b/bundles/php/metadata.py
@@ -0,0 +1,47 @@
+defaults = {
+    'apt': {
+        'repos': {
+            'php': {
+                'items': {
+                    'deb https://packages.sury.org/php/ {os_release} main',
+                },
+            },
+        },
+    },
+}
+
+
+@metadata_reactor
+def php_packages_with_features(metadata):
+    version = metadata.get('php/version')
+
+    packages = {
+        f'php{version}': {
+            'triggers': {
+                f'svc_systemd:php{version}-fpm:restart',
+            }
+        },
+        f'php{version}-cli': {
+            'triggers': {
+                f'svc_systemd:php{version}-fpm:restart',
+            }
+        },
+        f'php{version}-fpm': {
+            'triggers': {
+                f'svc_systemd:php{version}-fpm:restart',
+            }
+        },
+    }
+
+    for package in metadata.get('php/packages', set()):
+        packages[f'php{version}-{package}'] = {
+            'triggers': {
+                f'svc_systemd:php{version}-fpm:restart',
+            }
+        }
+
+    return {
+        'apt': {
+            'packages': packages,
+        },
+    }
diff --git a/data/apt/files/gpg-keys/php.asc b/data/apt/files/gpg-keys/php.asc
new file mode 100644
index 0000000..b015792
--- /dev/null
+++ b/data/apt/files/gpg-keys/php.asc
@@ -0,0 +1,42 @@
+-----BEGIN PGP ARMORED FILE-----
+Comment: Use "gpg --dearmor" for unpacking
+
+mQGNBFyPb58BDADTDlJLrGJktWDaUT0tFohjFxy/lL2GcVYp4zB981MWIDC0aIQZ
+ERfUZRaq/ov/LG3F0UhkvouCNrnXiFaKRCeNG52pQM0P/p3gmIOoPO4/jF0o3SK1
+Aapf/NaKTh3EgeYYCnVKuxdXGqyu1JT4qfztsmUGmODzxVr+/YJLP54jrCUgI3lj
+4zEeTBDexQvnlVUF59U1/ipMq4iWqqth8/aMsoZl3Ztfcc87jBFbJIoeQMhZtNZk
+Ik7L15aYIZXWY2byBy6LB42HPm9DwM99l2eY4EXGfAq/UQeYbDGonibBqrDURggH
+rkLfG7ZfoexF67/9S2s6VYfS4npWVfw2SEPTfSBdibElbGncd+p9Wb6SovqapCPl
+crkLgPhBAz/R9M7E/G3zedmiEhsV78pBF3bup+nQVvBVtV/NucN5N6LkAclT4O3F
+flGZa1/mJcpgjVapT6duY0POXczfS6ts55x2BE0UfYtXfRnVnHtu2+j8kqYG3N1G
+sfVnzRkwtTWBMxMAEQEAAbQxREVCLlNVUlkuT1JHIEF1dG9tYXRpYyBTaWduaW5n
+IEtleSA8ZGViQHN1cnkub3JnPokB1AQTAQoAPhYhBBUFhQCgI12X9dEAY7GI4raV
+vUdDBQJcj2+fAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJELGI
+4raVvUdDROUMANJjLVGk6TLYZKyRc8HZXyMRmw55nCQXsy8DHen6H7MuZHaxV9sf
+1tF1cQwPnv3HFlg7nZBFszyReW7s3LOcPuNXS90Sk5o7WLqVMkE+t46iNNGuIt3s
+WxPdYqY4ueCnUHHEFDKhlwlJnNh3+yVNci4nV+6SlzoasEjy5P82+pviop3viSlA
+8lgXdOYERRqZ1wh0Vip5gxcNIdm+TqWINI9+7T/87GfZzn84Zlvd0GnfjT6aN6RC
+sIADIOqJUW/TPzvdytwlXc4oZvqk47P0YePS6VFd+TrIRHHsmYxwTVPNjCT7eMz6
+AfEtPbTZHWI9oOWU+tiAogeR7k1yORknf+HcLZ1RnfDxyWgEh/p9eWuBeNCgLVSF
+tcYCJvRU8OFwRPz8B7rs3/tjrabrkV8iVaEeiCZkqPpaqZF6QaY2Z2YmZEtFsUMb
+rVwLbfBj4+3CSY90rlRolZDJjea6oXtjWXPXANSJ5gJZI9qFbX0WBXJ7dilrfUfH
+wrsqkH97072OTbkBjQRcj2+fAQwA4McaM/y2XQSHlJBSYR7yqZtHX/kZ8g9pnViq
+kCEADz8XKCroEzvY1gaWtR6obtjaq8pF0g4KtAC65/gIOtsHvWg3OclrODPkXN+x
+OM1LpXZGV6kwk+LXOrybtPhVZe3FtvDMW0MVZeHYi+soZ4tTQHkKjZUPAXZs3ZoZ
+rWfE5ft447sCxzX+jxDwwlckkKqZ9sHYD0TV8Y5av3RsxiWBt+coch8jvw+1mDZ0
+zBjMO8ZRD8PuvP9UTKCNOIm0mW9A2cUfpkk/uAwo5hCnw4iljS81/KKGM/scwc5K
+x6G3WWoAb8kajt0VFG/wYN2qjfjdhXtdu3ZxYtDdjA2UGGRbgkCsr+gRCnSTiuwv
+LzCVZCz9WNzZjUMg6LFP2IrHned4Kdy4KjJo+g/weKJoxfKokZ/9vUYpw5OYx3UE
+SUk3yHDN9r/JC4RJJ2tE2qkeggJ892RJGxUK/Lw3/7jIQKalO3Qx2zYUqnCYMC9g
+PhQGH+F9kwSpGVwb0DKFT6gR9Pt3ABEBAAGJAbwEGAEKACYWIQQVBYUAoCNdl/XR
+AGOxiOK2lb1HQwUCXI9vnwIbDAUJA8JnAAAKCRCxiOK2lb1HQ9pWDACel7BTcpj9
+qYJOkEx9eAVH1LmdP5oHAJSe4fYVIc5Tn6X0J1pdju+UJvtUS6WQu7pfcsQ7IkbK
+XVygaw/YPqk/tE/vJVUaCGlzAaVHO7y5ZM0cdDquOgmo/RZe2WNVFhVEPILjz+qc
+mX1OVeTElCu4iR/5CD0ocWZmdFvMRitKL+Nt5/pS8yXRfQlXaUxerLvx27QhwpHX
+HFGNgbI8Tj/yCUCButZvDKUc+5o9WCYHvt/bf6VcNY6P585J0+CF1vAyfWQ9KCyC
+F5CplURsNPMKAdkPo7vKRq6qviJpeWjJzXPkADfVnfhW9GMna8bPi86NJo1PkGcb
+1IInxGmNRmnCqtqyPFd+AFGk2OFuEqeDw7GvjB5zD5u1vIdH3WE0Q+D0xxLfaxJ7
+1qmhuTPRnpWqfmdA2tnuFOZ+Th4HRfbyA4IoJr3U8FuFXJnJdoBjh6+pJacI9UYr
+IcNyOoi1I35gHvFoKJ7Ut9deNdKMeN3bAR+1JShVtdROzgGtPj/bMFg=
+=74SA
+-----END PGP ARMORED FILE-----