Skip to content

Commit

Permalink
nixos/caddy: validate at build-time
Browse files Browse the repository at this point in the history
  • Loading branch information
@Stunkymonkey
Stunkymonkey committed Jan 26, 2025
1 parent 798f303 commit aa16781
Showing 1 changed file with 40 additions and 33 deletions.
73 changes: 40 additions & 33 deletions nixos/modules/services/web-servers/caddy/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,10 @@ let
configPath = "/etc/${etcConfigFile}";

mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib;

runOptions = ''--config ${configPath} ${
optionalString (cfg.adapter != null) "--adapter ${cfg.adapter}"
}'';
in
{
imports = [
Expand Down Expand Up @@ -389,6 +393,15 @@ in
assertion = cfg.configFile == configFile -> cfg.adapter == "caddyfile" || cfg.adapter == null;
message = "To specify an adapter other than 'caddyfile' please provide your own configuration via `services.caddy.configFile`";
}
{
assertion =
(builtins.tryEval (
pkgs.runCommand "validate-caddy-config" { } ''
${lib.getExe cfg.package} validate ${runOptions}
''
)).success;
message = "Caddy configuration is invalid";
}
]
++ map (
name:
Expand Down Expand Up @@ -425,39 +438,33 @@ in
reloadTriggers = optional cfg.enableReload cfg.configFile;
restartTriggers = optional (!cfg.enableReload) cfg.configFile;

serviceConfig =
let
runOptions = ''--config ${configPath} ${
optionalString (cfg.adapter != null) "--adapter ${cfg.adapter}"
}'';
in
{
# Override the `ExecStart` line from upstream's systemd unit file by our own:
# https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart=
# If the empty string is assigned to this option, the list of commands to start is reset, prior assignments of this option will have no effect.
ExecStart = [
""
''${cfg.package}/bin/caddy run ${runOptions} ${optionalString cfg.resume "--resume"}''
];
# Validating the configuration before applying it ensures we’ll get a proper error that will be reported when switching to the configuration
ExecReload = [
""
] ++ lib.optional cfg.enableReload "${lib.getExe cfg.package} reload ${runOptions} --force";
User = cfg.user;
Group = cfg.group;
ReadWritePaths = [ cfg.dataDir ];
StateDirectory = mkIf (cfg.dataDir == "/var/lib/caddy") [ "caddy" ];
LogsDirectory = mkIf (cfg.logDir == "/var/log/caddy") [ "caddy" ];
Restart = "on-failure";
RestartPreventExitStatus = 1;
RestartSec = "5s";
EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;

# TODO: attempt to upstream these options
NoNewPrivileges = true;
PrivateDevices = true;
ProtectHome = true;
};
serviceConfig = {
# Override the `ExecStart` line from upstream's systemd unit file by our own:
# https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart=
# If the empty string is assigned to this option, the list of commands to start is reset, prior assignments of this option will have no effect.
ExecStart = [
""
''${lib.getExe cfg.package} run ${runOptions} ${optionalString cfg.resume "--resume"}''
];
# Validating the configuration before applying it ensures we’ll get a proper error that will be reported when switching to the configuration
ExecReload = [
""
] ++ lib.optional cfg.enableReload "${lib.getExe cfg.package} reload ${runOptions} --force";
User = cfg.user;
Group = cfg.group;
ReadWritePaths = [ cfg.dataDir ];
StateDirectory = mkIf (cfg.dataDir == "/var/lib/caddy") [ "caddy" ];
LogsDirectory = mkIf (cfg.logDir == "/var/log/caddy") [ "caddy" ];
Restart = "on-failure";
RestartPreventExitStatus = 1;
RestartSec = "5s";
EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;

# TODO: attempt to upstream these options
NoNewPrivileges = true;
PrivateDevices = true;
ProtectHome = true;
};
};

users.users = optionalAttrs (cfg.user == "caddy") {
Expand Down

0 comments on commit aa16781

Please sign in to comment.