tjh.dev / nixpkgs
nixpkgs mirror (for testing) github.com/NixOS/nixpkgs
nix
fork

Configure Feed

Select the types of activity you want to include in your feed.

nixos/varnish: turn listen addresses into structured config (#421481)

authored by

Leona Maroni and committed by
GitHub 41ff90fc dc8b7fb2

+175 -6
+3
nixos/doc/manual/release-notes/rl-2511.section.md
··· 125 125 - `amdgpu` kernel driver overdrive mode can now be enabled by setting [hardware.amdgpu.overdrive.enable](#opt-hardware.amdgpu.overdrive.enable) and customized through [hardware.amdgpu.overdrive.ppfeaturemask](#opt-hardware.amdgpu.overdrive.ppfeaturemask). 126 126 This allows for fine-grained control over the GPU's performance and maybe required by overclocking softwares like Corectrl and Lact. These new options replace old options such as {option}`programs.corectrl.gpuOverclock.enable` and {option}`programs.tuxclocker.enableAMD`. 127 127 128 + - `services.varnish.http_address` has been superseeded by `services.varnish.listen` which is now 129 + structured config for all of varnish's `-a` variations. 130 + 128 131 - [](#opt-services.gnome.gnome-keyring.enable) does not ship with an SSH agent anymore, as this is now handled by the `gcr_4` package instead of `gnome-keyring`. A new module has been added to support this, under [](#opt-services.gnome.gcr-ssh-agent.enable) (its default value has been set to [](#opt-services.gnome.gnome-keyring.enable) to ensure a smooth transition). See the [relevant upstream PR](https://gitlab.gnome.org/GNOME/gcr/-/merge_requests/67) for more details. 129 132 130 133 - The `nettools` package (ifconfig, arp, mii-tool, netstat, route) is not installed by default anymore. The suite is unmaintained and users should migrate to `iproute2` and `ethtool` instead.
+123 -3
nixos/modules/services/web-servers/varnish/default.nix
··· 6 6 }: 7 7 8 8 let 9 + inherit (lib) 10 + types 11 + mkOption 12 + hasPrefix 13 + concatMapStringsSep 14 + optionalString 15 + concatMap 16 + ; 17 + inherit (builtins) isNull; 18 + 9 19 cfg = config.services.varnish; 10 20 11 21 # Varnish has very strong opinions and very complicated code around handling ··· 36 26 else 37 27 "/var/run/varnishd"; 38 28 29 + # from --help: 30 + # -a [<name>=]address[:port][,proto] # HTTP listen address and port 31 + # [,user=<u>][,group=<g>] # Can be specified multiple times. 32 + # [,mode=<m>] # default: ":80,HTTP" 33 + # # Proto can be "PROXY" or "HTTP" (default) 34 + # # user, group and mode set permissions for 35 + # # a Unix domain socket. 36 + commandLineAddresses = 37 + (concatMapStringsSep " " ( 38 + a: 39 + "-a " 40 + + optionalString (!isNull a.name) "${a.name}=" 41 + + a.address 42 + + optionalString (!isNull a.port) ":${toString a.port}" 43 + + optionalString (!isNull a.proto) ",${a.proto}" 44 + + optionalString (!isNull a.user) ",user=${a.user}" 45 + + optionalString (!isNull a.group) ",group=${a.group}" 46 + + optionalString (!isNull a.mode) ",mode=${a.mode}" 47 + ) cfg.listen) 48 + + lib.optionalString (!isNull cfg.http_address) " -a ${cfg.http_address}"; 49 + addressSubmodule = types.submodule { 50 + options = { 51 + name = mkOption { 52 + description = "Name is referenced in logs. If name is not specified, 'a0', 'a1', etc. is used."; 53 + default = null; 54 + type = with types; nullOr str; 55 + }; 56 + address = mkOption { 57 + description = '' 58 + If given an IP address, it can be a host name ("localhost"), an IPv4 dotted-quad 59 + ("127.0.0.1") or an IPv6 address enclosed in square brackets ("[::1]"). 60 + 61 + (VCL4.1 and higher) If given an absolute Path ("/path/to/listen.sock") or "@" 62 + followed by the name of an abstract socket ("@myvarnishd") accept connections 63 + on a Unix domain socket. 64 + 65 + The user, group and mode sub-arguments may be used to specify the permissions 66 + of the socket file. These sub-arguments do not apply to abstract sockets. 67 + ''; 68 + type = types.str; 69 + }; 70 + port = mkOption { 71 + description = "The port to use for IP sockets. If port is not specified, port 80 (http) is used."; 72 + default = null; 73 + type = with types; nullOr int; 74 + }; 75 + proto = mkOption { 76 + description = "PROTO can be 'HTTP' (the default) or 'PROXY'. Both version 1 and 2 of the proxy protocol can be used."; 77 + type = types.enum [ 78 + "HTTP" 79 + "PROXY" 80 + ]; 81 + default = "HTTP"; 82 + }; 83 + user = mkOption { 84 + description = "User name who owns the socket file."; 85 + default = null; 86 + type = with lib.types; nullOr str; 87 + }; 88 + group = mkOption { 89 + description = "Group name who owns the socket file."; 90 + default = null; 91 + type = with lib.types; nullOr str; 92 + }; 93 + mode = mkOption { 94 + description = "Permission of the socket file (3-digit octal value)."; 95 + default = null; 96 + type = with types; nullOr str; 97 + }; 98 + }; 99 + }; 100 + checkedAddressModule = types.addCheck addressSubmodule ( 101 + m: 102 + ( 103 + if ((hasPrefix "@" m.address) || (hasPrefix "/" m.address)) then 104 + # this is a unix socket 105 + (m.port != null) 106 + else 107 + # this is not a path-based unix socket 108 + if !(hasPrefix "/" m.address) && (m.group != null) || (m.user != null) || (m.mode != null) then 109 + false 110 + else 111 + true 112 + ) 113 + ); 39 114 commandLine = 40 115 "-f ${pkgs.writeText "default.vcl" cfg.config}" 41 116 + ··· 149 54 package = lib.mkPackageOption pkgs "varnish" { }; 150 55 151 56 http_address = lib.mkOption { 152 - type = lib.types.str; 153 - default = "*:6081"; 57 + type = with lib.types; nullOr str; 58 + default = null; 154 59 description = '' 155 60 HTTP listen address and port. 156 61 ''; 62 + }; 63 + 64 + listen = lib.mkOption { 65 + description = "Accept for client requests on the specified listen addresses."; 66 + type = lib.types.listOf checkedAddressModule; 67 + defaultText = lib.literalExpression ''[ { address="*"; port=6081; } ]''; 68 + default = lib.optional (isNull cfg.http_address) { 69 + address = "*"; 70 + port = 6081; 71 + }; 157 72 }; 158 73 159 74 config = lib.mkOption { ··· 202 97 serviceConfig = { 203 98 Type = "simple"; 204 99 PermissionsStartOnly = true; 205 - ExecStart = "${cfg.package}/sbin/varnishd -a ${cfg.http_address} -n ${stateDir} -F ${cfg.extraCommandLine} ${commandLine}"; 100 + ExecStart = "${cfg.package}/sbin/varnishd ${commandLineAddresses} -n ${stateDir} -F ${cfg.extraCommandLine} ${commandLine}"; 206 101 Restart = "always"; 207 102 RestartSec = "5s"; 208 103 User = "varnish"; ··· 222 117 ${cfg.package}/bin/varnishd -C ${commandLine} 2> $out || (cat $out; exit 1) 223 118 '') 224 119 ]; 120 + 121 + assertions = concatMap (m: [ 122 + { 123 + assertion = (hasPrefix "/" m.address) || (hasPrefix "@" m.address) -> m.port == null; 124 + message = "Listen ports must not be specified with UNIX sockets: ${builtins.toJSON m}"; 125 + } 126 + { 127 + assertion = !(hasPrefix "/" m.address) -> m.user == null && m.group == null && m.mode == null; 128 + message = "Abstract UNIX sockets or IP sockets can not be used with user, group, and mode settings: ${builtins.toJSON m}"; 129 + } 130 + ]) cfg.listen; 131 + 132 + warnings = 133 + lib.optional (!isNull cfg.http_address) 134 + "The option `services.varnish.http_address` is deprecated. Use `services.varnish.listen` instead."; 225 135 226 136 users.users.varnish = { 227 137 group = "varnish";
+49 -3
nixos/tests/varnish.nix
··· 10 10 11 11 nodes = { 12 12 varnish = 13 - { config, pkgs, ... }: 13 + { 14 + config, 15 + pkgs, 16 + lib, 17 + ... 18 + }: 14 19 { 15 20 services.nix-serve = { 16 21 enable = true; ··· 24 19 services.varnish = { 25 20 inherit package; 26 21 enable = true; 27 - http_address = "0.0.0.0:80"; 22 + http_address = "0.0.0.0:81"; 23 + listen = [ 24 + { 25 + address = "0.0.0.0"; 26 + port = 80; 27 + proto = "HTTP"; 28 + } 29 + { 30 + name = "proxyport"; 31 + address = "0.0.0.0"; 32 + port = 8080; 33 + proto = "PROXY"; 34 + } 35 + { address = "@asdf"; } 36 + { 37 + address = "/run/varnishd/client.http.sock"; 38 + user = "varnish"; 39 + group = "varnish"; 40 + mode = "660"; 41 + } 42 + ]; 28 43 config = '' 29 - vcl 4.0; 44 + vcl 4.1; 30 45 31 46 backend nix-serve { 32 47 .host = "127.0.0.1"; ··· 57 32 58 33 networking.firewall.allowedTCPPorts = [ 80 ]; 59 34 system.extraDependencies = [ testPath ]; 35 + 36 + assertions = 37 + map 38 + ( 39 + pattern: 40 + let 41 + cmdline = config.systemd.services.varnish.serviceConfig.ExecStart; 42 + in 43 + { 44 + assertion = lib.hasInfix pattern cmdline; 45 + message = "Address argument `${pattern}` missing in commandline `${cmdline}`."; 46 + } 47 + ) 48 + [ 49 + " -a 0.0.0.0:80,HTTP " 50 + " -a proxyport=0.0.0.0:8080,PROXY " 51 + " -a @asdf,HTTP " 52 + " -a /run/varnishd/client.http.sock,HTTP,user=varnish,group=varnish,mode=660 " 53 + " -a 0.0.0.0:81 " 54 + ]; 60 55 }; 61 56 62 57 client = ··· 92 47 testScript = '' 93 48 start_all() 94 49 varnish.wait_for_open_port(80) 50 + 95 51 96 52 client.wait_until_succeeds("curl -f http://varnish/nix-cache-info"); 97 53