caddy: include and utilize systemd service from upstream (#147305)

This commit is contained in:
Aaron Andersen 2021-11-29 09:16:25 -05:00 committed by GitHub
parent bcc975b98e
commit a4977db2e8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 29 additions and 21 deletions

View file

@ -171,34 +171,27 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.packages = [ cfg.package ];
systemd.services.caddy = { systemd.services.caddy = {
description = "Caddy web server";
# upstream unit: https://github.com/caddyserver/dist/blob/master/init/caddy.service
after = [ "network-online.target" ];
wants = [ "network-online.target" ]; # systemd-networkd-wait-online.service
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
startLimitIntervalSec = 14400; startLimitIntervalSec = 14400;
startLimitBurst = 10; startLimitBurst = 10;
serviceConfig = { serviceConfig = {
ExecStart = "${cfg.package}/bin/caddy run ${optionalString cfg.resume "--resume"} --config ${configJSON}"; # https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart=
ExecReload = "${cfg.package}/bin/caddy reload --config ${configJSON}"; # If the empty string is assigned to this option, the list of commands to start is reset, prior assignments of this option will have no effect.
Type = "simple"; ExecStart = [ "" "${cfg.package}/bin/caddy run ${optionalString cfg.resume "--resume"} --config ${configJSON}" ];
ExecReload = [ "" "${cfg.package}/bin/caddy reload --config ${configJSON}" ];
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
ReadWriteDirectories = cfg.dataDir;
Restart = "on-abnormal"; Restart = "on-abnormal";
AmbientCapabilities = "cap_net_bind_service";
CapabilityBoundingSet = "cap_net_bind_service"; # TODO: attempt to upstream these options
NoNewPrivileges = true; NoNewPrivileges = true;
LimitNPROC = 512;
LimitNOFILE = 1048576;
PrivateTmp = true;
PrivateDevices = true; PrivateDevices = true;
ProtectHome = true; ProtectHome = true;
ProtectSystem = "full";
ReadWriteDirectories = cfg.dataDir;
KillMode = "mixed";
KillSignal = "SIGQUIT";
TimeoutStopSec = "5s";
}; };
}; };

View file

@ -1,20 +1,35 @@
{ lib, buildGoModule, fetchFromGitHub, nixosTests }: { lib, buildGoModule, fetchFromGitHub, nixosTests }:
let
buildGoModule rec {
pname = "caddy";
version = "2.4.6"; version = "2.4.6";
dist = fetchFromGitHub {
owner = "caddyserver";
repo = "dist";
rev = "v${version}";
sha256 = "sha256-EXs+LNb87RWkmSWvs8nZIVqRJMutn+ntR241gqI7CUg=";
};
in
buildGoModule {
pname = "caddy";
inherit version;
subPackages = [ "cmd/caddy" ]; subPackages = [ "cmd/caddy" ];
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "caddyserver"; owner = "caddyserver";
repo = pname; repo = "caddy";
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-xNCxzoNpXkj8WF9+kYJfO18ux8/OhxygkGjA49+Q4vY="; sha256 = "sha256-xNCxzoNpXkj8WF9+kYJfO18ux8/OhxygkGjA49+Q4vY=";
}; };
vendorSha256 = "sha256-NomgHqIiugSISbEtvIbJDn5GRn6Dn72adLPkAvLbUQU="; vendorSha256 = "sha256-NomgHqIiugSISbEtvIbJDn5GRn6Dn72adLPkAvLbUQU=";
postInstall = ''
install -Dm644 ${dist}/init/caddy.service ${dist}/init/caddy-api.service -t $out/lib/systemd/system
substituteInPlace $out/lib/systemd/system/caddy.service --replace "/usr/bin/caddy" "$out/bin/caddy"
substituteInPlace $out/lib/systemd/system/caddy-api.service --replace "/usr/bin/caddy" "$out/bin/caddy"
'';
passthru.tests = { inherit (nixosTests) caddy; }; passthru.tests = { inherit (nixosTests) caddy; };
meta = with lib; { meta = with lib; {