caddy: include and utilize systemd service from upstream (#147305)

2021-11-29 09:16:25 -05:00 · 2021-11-29 09:16:25 -05:00 · a4977db2e8
commit a4977db2e8
parent bcc975b98e
2 changed files with 29 additions and 21 deletions
--- a/nixos/modules/services/web-servers/caddy/default.nix
+++ b/nixos/modules/services/web-servers/caddy/default.nix
@ -171,34 +171,27 @@ in
  };
  config = mkIf cfg.enable {
    systemd.packages = [ cfg.package ];
    systemd.services.caddy = {
      description = "Caddy web server";
      # upstream unit: https://github.com/caddyserver/dist/blob/master/init/caddy.service
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ]; # systemd-networkd-wait-online.service
      wantedBy = [ "multi-user.target" ];
      startLimitIntervalSec = 14400;
      startLimitBurst = 10;
      serviceConfig = {
-        ExecStart = "${cfg.package}/bin/caddy run ${optionalString cfg.resume "--resume"} --config ${configJSON}";
+        # https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart=
-        ExecReload = "${cfg.package}/bin/caddy reload --config ${configJSON}";
+        # If the empty string is assigned to this option, the list of commands to start is reset, prior assignments of this option will have no effect.
-        Type = "simple";
+        ExecStart = [ "" "${cfg.package}/bin/caddy run ${optionalString cfg.resume "--resume"} --config ${configJSON}" ];
        ExecReload = [ "" "${cfg.package}/bin/caddy reload --config ${configJSON}" ];
        User = cfg.user;
        Group = cfg.group;
        ReadWriteDirectories = cfg.dataDir;
        Restart = "on-abnormal";
-        AmbientCapabilities = "cap_net_bind_service";
+
-        CapabilityBoundingSet = "cap_net_bind_service";
+        # TODO: attempt to upstream these options
        NoNewPrivileges = true;
        LimitNPROC = 512;
        LimitNOFILE = 1048576;
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectHome = true;
        ProtectSystem = "full";
        ReadWriteDirectories = cfg.dataDir;
        KillMode = "mixed";
        KillSignal = "SIGQUIT";
        TimeoutStopSec = "5s";
      };
    };
--- a/pkgs/servers/caddy/default.nix
+++ b/pkgs/servers/caddy/default.nix
@ -1,20 +1,35 @@
 { lib, buildGoModule, fetchFromGitHub, nixosTests }:
-
+let
 buildGoModule rec {
  pname = "caddy";
  version = "2.4.6";
  dist = fetchFromGitHub {
    owner = "caddyserver";
    repo = "dist";
    rev = "v${version}";
    sha256 = "sha256-EXs+LNb87RWkmSWvs8nZIVqRJMutn+ntR241gqI7CUg=";
  };
 in
 buildGoModule {
  pname = "caddy";
  inherit version;
  subPackages = [ "cmd/caddy" ];
  src = fetchFromGitHub {
    owner = "caddyserver";
-    repo = pname;
+    repo = "caddy";
    rev = "v${version}";
    sha256 = "sha256-xNCxzoNpXkj8WF9+kYJfO18ux8/OhxygkGjA49+Q4vY=";
  };
  vendorSha256 = "sha256-NomgHqIiugSISbEtvIbJDn5GRn6Dn72adLPkAvLbUQU=";
  postInstall = ''
    install -Dm644 ${dist}/init/caddy.service ${dist}/init/caddy-api.service -t $out/lib/systemd/system
    substituteInPlace $out/lib/systemd/system/caddy.service --replace "/usr/bin/caddy" "$out/bin/caddy"
    substituteInPlace $out/lib/systemd/system/caddy-api.service --replace "/usr/bin/caddy" "$out/bin/caddy"
  '';
  passthru.tests = { inherit (nixosTests) caddy; };
  meta = with lib; {