From 5ca89402eec1a634b2e94cdf407b92095cdacfa2 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Thu, 23 Sep 2021 08:54:25 +0200 Subject: [PATCH] nixos/trafficserver: avoid input from derivation Using builtins.readFile to load upstream defaults is a clever trick, but it's not allowed in restricted evaluation mode: which means it fails on Hydra, for example. Besides - in Nixpkgs - depending on derivation as inputs is considered bad practice and should be avoided. --- nixos/modules/module-list.nix | 2 +- .../default.nix} | 16 +------- .../web-servers/trafficserver/ip_allow.json | 36 ++++++++++++++++++ .../web-servers/trafficserver/logging.json | 37 +++++++++++++++++++ 4 files changed, 76 insertions(+), 15 deletions(-) rename nixos/modules/services/web-servers/{trafficserver.nix => trafficserver/default.nix} (95%) create mode 100644 nixos/modules/services/web-servers/trafficserver/ip_allow.json create mode 100644 nixos/modules/services/web-servers/trafficserver/logging.json diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 19e9f5a27bed..a7decf889877 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1031,7 +1031,7 @@ ./services/web-servers/shellinabox.nix ./services/web-servers/tomcat.nix ./services/web-servers/traefik.nix - ./services/web-servers/trafficserver.nix + ./services/web-servers/trafficserver/default.nix ./services/web-servers/ttyd.nix ./services/web-servers/uwsgi.nix ./services/web-servers/varnish/default.nix diff --git a/nixos/modules/services/web-servers/trafficserver.nix b/nixos/modules/services/web-servers/trafficserver/default.nix similarity index 95% rename from nixos/modules/services/web-servers/trafficserver.nix rename to nixos/modules/services/web-servers/trafficserver/default.nix index db0e2ac0bd05..341e8b13976a 100644 --- a/nixos/modules/services/web-servers/trafficserver.nix +++ b/nixos/modules/services/web-servers/trafficserver/default.nix @@ -8,21 +8,9 @@ let group = config.users.groups.trafficserver.name; getManualUrl = name: "https://docs.trafficserver.apache.org/en/latest/admin-guide/files/${name}.en.html"; - getConfPath = name: "${pkgs.trafficserver}/etc/trafficserver/${name}"; yaml = pkgs.formats.yaml { }; - fromYAML = f: - let - jsonFile = pkgs.runCommand "in.json" - { - nativeBuildInputs = [ pkgs.remarshal ]; - } '' - yaml2json < "${f}" > "$out" - ''; - in - builtins.fromJSON (builtins.readFile jsonFile); - mkYamlConf = name: cfg: if cfg != null then { "trafficserver/${name}.yaml".source = yaml.generate "${name}.yaml" cfg; @@ -73,7 +61,7 @@ in ipAllow = mkOption { type = types.nullOr yaml.type; - default = fromYAML (getConfPath "ip_allow.yaml"); + default = builtins.fromJSON (builtins.readFile ./ip_allow.json); defaultText = "upstream defaults"; example = literalExample { ip_allow = [{ @@ -94,7 +82,7 @@ in logging = mkOption { type = types.nullOr yaml.type; - default = fromYAML (getConfPath "logging.yaml"); + default = builtins.fromJSON (builtins.readFile ./logging.json); defaultText = "upstream defaults"; example = literalExample { }; description = '' diff --git a/nixos/modules/services/web-servers/trafficserver/ip_allow.json b/nixos/modules/services/web-servers/trafficserver/ip_allow.json new file mode 100644 index 000000000000..fc2db8037286 --- /dev/null +++ b/nixos/modules/services/web-servers/trafficserver/ip_allow.json @@ -0,0 +1,36 @@ +{ + "ip_allow": [ + { + "apply": "in", + "ip_addrs": "127.0.0.1", + "action": "allow", + "methods": "ALL" + }, + { + "apply": "in", + "ip_addrs": "::1", + "action": "allow", + "methods": "ALL" + }, + { + "apply": "in", + "ip_addrs": "0/0", + "action": "deny", + "methods": [ + "PURGE", + "PUSH", + "DELETE" + ] + }, + { + "apply": "in", + "ip_addrs": "::/0", + "action": "deny", + "methods": [ + "PURGE", + "PUSH", + "DELETE" + ] + } + ] +} diff --git a/nixos/modules/services/web-servers/trafficserver/logging.json b/nixos/modules/services/web-servers/trafficserver/logging.json new file mode 100644 index 000000000000..81e7ba0186c6 --- /dev/null +++ b/nixos/modules/services/web-servers/trafficserver/logging.json @@ -0,0 +1,37 @@ +{ + "logging": { + "formats": [ + { + "name": "welf", + "format": "id=firewall time=\"% %\" fw=% pri=6 proto=% duration=% sent=% rcvd=% src=% dst=% dstname=% user=% op=% arg=\"%\" result=% ref=\"%<{Referer}cqh>\" agent=\"%<{user-agent}cqh>\" cache=%" + }, + { + "name": "squid_seconds_only_timestamp", + "format": "% % % %/% % % % % %/% %" + }, + { + "name": "squid", + "format": "% % % %/% % % % % %/% %" + }, + { + "name": "common", + "format": "% - % [%] \"%\" % %" + }, + { + "name": "extended", + "format": "% - % [%] \"%\" % % % % % % % % % % %" + }, + { + "name": "extended2", + "format": "% - % [%] \"%\" % % % % % % % % % % % % % % %" + } + ], + "logs": [ + { + "filename": "squid", + "format": "squid", + "mode": "binary" + } + ] + } +}