diff options
| author | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-23 08:54:25 +0200 |
|---|---|---|
| committer | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-23 12:52:31 +0200 |
| commit | 5ca89402eec1a634b2e94cdf407b92095cdacfa2 (patch) | |
| tree | 4b710b7d00c598a9749d42d7a348fc0dfd2858da /nixos | |
| parent | dc2cebde006c6b7f26565cee9f8aaf4e55ba56fb (diff) | |
| download | nixpkgs-5ca89402eec1a634b2e94cdf407b92095cdacfa2.tar nixpkgs-5ca89402eec1a634b2e94cdf407b92095cdacfa2.tar.gz nixpkgs-5ca89402eec1a634b2e94cdf407b92095cdacfa2.tar.bz2 nixpkgs-5ca89402eec1a634b2e94cdf407b92095cdacfa2.tar.lz nixpkgs-5ca89402eec1a634b2e94cdf407b92095cdacfa2.tar.xz nixpkgs-5ca89402eec1a634b2e94cdf407b92095cdacfa2.tar.zst nixpkgs-5ca89402eec1a634b2e94cdf407b92095cdacfa2.zip | |
nixos/trafficserver: avoid input from derivation
Using builtins.readFile to load upstream defaults is a clever trick, but it's not allowed in restricted evaluation mode: which means it fails on Hydra, for example. Besides - in Nixpkgs - depending on derivation as inputs is considered bad practice and should be avoided.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/module-list.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/trafficserver/default.nix (renamed from nixos/modules/services/web-servers/trafficserver.nix) | 16 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/trafficserver/ip_allow.json | 36 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/trafficserver/logging.json | 37 |
4 files changed, 76 insertions, 15 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 19e9f5a27be..a7decf88987 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1031,7 +1031,7 @@ ./services/web-servers/shellinabox.nix ./services/web-servers/tomcat.nix ./services/web-servers/traefik.nix - ./services/web-servers/trafficserver.nix + ./services/web-servers/trafficserver/default.nix ./services/web-servers/ttyd.nix ./services/web-servers/uwsgi.nix ./services/web-servers/varnish/default.nix diff --git a/nixos/modules/services/web-servers/trafficserver.nix b/nixos/modules/services/web-servers/trafficserver/default.nix index db0e2ac0bd0..341e8b13976 100644 --- a/nixos/modules/services/web-servers/trafficserver.nix +++ b/nixos/modules/services/web-servers/trafficserver/default.nix @@ -8,21 +8,9 @@ let group = config.users.groups.trafficserver.name; getManualUrl = name: "https://docs.trafficserver.apache.org/en/latest/admin-guide/files/${name}.en.html"; - getConfPath = name: "${pkgs.trafficserver}/etc/trafficserver/${name}"; yaml = pkgs.formats.yaml { }; - fromYAML = f: - let - jsonFile = pkgs.runCommand "in.json" - { - nativeBuildInputs = [ pkgs.remarshal ]; - } '' - yaml2json < "${f}" > "$out" - ''; - in - builtins.fromJSON (builtins.readFile jsonFile); - mkYamlConf = name: cfg: if cfg != null then { "trafficserver/${name}.yaml".source = yaml.generate "${name}.yaml" cfg; @@ -73,7 +61,7 @@ in ipAllow = mkOption { type = types.nullOr yaml.type; - default = fromYAML (getConfPath "ip_allow.yaml"); + default = builtins.fromJSON (builtins.readFile ./ip_allow.json); defaultText = "upstream defaults"; example = literalExample { ip_allow = [{ @@ -94,7 +82,7 @@ in logging = mkOption { type = types.nullOr yaml.type; - default = fromYAML (getConfPath "logging.yaml"); + default = builtins.fromJSON (builtins.readFile ./logging.json); defaultText = "upstream defaults"; example = literalExample { }; description = '' diff --git a/nixos/modules/services/web-servers/trafficserver/ip_allow.json b/nixos/modules/services/web-servers/trafficserver/ip_allow.json new file mode 100644 index 00000000000..fc2db803728 --- /dev/null +++ b/nixos/modules/services/web-servers/trafficserver/ip_allow.json @@ -0,0 +1,36 @@ +{ + "ip_allow": [ + { + "apply": "in", + "ip_addrs": "127.0.0.1", + "action": "allow", + "methods": "ALL" + }, + { + "apply": "in", + "ip_addrs": "::1", + "action": "allow", + "methods": "ALL" + }, + { + "apply": "in", + "ip_addrs": "0/0", + "action": "deny", + "methods": [ + "PURGE", + "PUSH", + "DELETE" + ] + }, + { + "apply": "in", + "ip_addrs": "::/0", + "action": "deny", + "methods": [ + "PURGE", + "PUSH", + "DELETE" + ] + } + ] +} diff --git a/nixos/modules/services/web-servers/trafficserver/logging.json b/nixos/modules/services/web-servers/trafficserver/logging.json new file mode 100644 index 00000000000..81e7ba0186c --- /dev/null +++ b/nixos/modules/services/web-servers/trafficserver/logging.json @@ -0,0 +1,37 @@ +{ + "logging": { + "formats": [ + { + "name": "welf", + "format": "id=firewall time=\"%<cqtd> %<cqtt>\" fw=%<phn> pri=6 proto=%<cqus> duration=%<ttmsf> sent=%<psql> rcvd=%<cqhl> src=%<chi> dst=%<shi> dstname=%<shn> user=%<caun> op=%<cqhm> arg=\"%<cqup>\" result=%<pssc> ref=\"%<{Referer}cqh>\" agent=\"%<{user-agent}cqh>\" cache=%<crc>" + }, + { + "name": "squid_seconds_only_timestamp", + "format": "%<cqts> %<ttms> %<chi> %<crc>/%<pssc> %<psql> %<cqhm> %<cquc> %<caun> %<phr>/%<shn> %<psct>" + }, + { + "name": "squid", + "format": "%<cqtq> %<ttms> %<chi> %<crc>/%<pssc> %<psql> %<cqhm> %<cquc> %<caun> %<phr>/%<shn> %<psct>" + }, + { + "name": "common", + "format": "%<chi> - %<caun> [%<cqtn>] \"%<cqtx>\" %<pssc> %<pscl>" + }, + { + "name": "extended", + "format": "%<chi> - %<caun> [%<cqtn>] \"%<cqtx>\" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts>" + }, + { + "name": "extended2", + "format": "%<chi> - %<caun> [%<cqtn>] \"%<cqtx>\" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts> %<phr> %<cfsc> %<pfsc> %<crc>" + } + ], + "logs": [ + { + "filename": "squid", + "format": "squid", + "mode": "binary" + } + ] + } +} |