nixos/trafficserver: avoid input from derivation

Using builtins.readFile to load upstream defaults is a clever trick, but
it's not allowed in restricted evaluation mode: which means it fails on
Hydra, for example. Besides - in Nixpkgs - depending on derivation as
inputs is considered bad practice and should be avoided.
This commit is contained in:
rnhmjoj 2021-09-23 08:54:25 +02:00
parent dc2cebde00
commit 5ca89402ee
No known key found for this signature in database
GPG Key ID: BFBAF4C975F76450
4 changed files with 76 additions and 15 deletions

View File

@ -1031,7 +1031,7 @@
./services/web-servers/shellinabox.nix
./services/web-servers/tomcat.nix
./services/web-servers/traefik.nix
./services/web-servers/trafficserver.nix
./services/web-servers/trafficserver/default.nix
./services/web-servers/ttyd.nix
./services/web-servers/uwsgi.nix
./services/web-servers/varnish/default.nix

View File

@ -8,21 +8,9 @@ let
group = config.users.groups.trafficserver.name;
getManualUrl = name: "https://docs.trafficserver.apache.org/en/latest/admin-guide/files/${name}.en.html";
getConfPath = name: "${pkgs.trafficserver}/etc/trafficserver/${name}";
yaml = pkgs.formats.yaml { };
fromYAML = f:
let
jsonFile = pkgs.runCommand "in.json"
{
nativeBuildInputs = [ pkgs.remarshal ];
} ''
yaml2json < "${f}" > "$out"
'';
in
builtins.fromJSON (builtins.readFile jsonFile);
mkYamlConf = name: cfg:
if cfg != null then {
"trafficserver/${name}.yaml".source = yaml.generate "${name}.yaml" cfg;
@ -73,7 +61,7 @@ in
ipAllow = mkOption {
type = types.nullOr yaml.type;
default = fromYAML (getConfPath "ip_allow.yaml");
default = builtins.fromJSON (builtins.readFile ./ip_allow.json);
defaultText = "upstream defaults";
example = literalExample {
ip_allow = [{
@ -94,7 +82,7 @@ in
logging = mkOption {
type = types.nullOr yaml.type;
default = fromYAML (getConfPath "logging.yaml");
default = builtins.fromJSON (builtins.readFile ./logging.json);
defaultText = "upstream defaults";
example = literalExample { };
description = ''

View File

@ -0,0 +1,36 @@
{
"ip_allow": [
{
"apply": "in",
"ip_addrs": "127.0.0.1",
"action": "allow",
"methods": "ALL"
},
{
"apply": "in",
"ip_addrs": "::1",
"action": "allow",
"methods": "ALL"
},
{
"apply": "in",
"ip_addrs": "0/0",
"action": "deny",
"methods": [
"PURGE",
"PUSH",
"DELETE"
]
},
{
"apply": "in",
"ip_addrs": "::/0",
"action": "deny",
"methods": [
"PURGE",
"PUSH",
"DELETE"
]
}
]
}

View File

@ -0,0 +1,37 @@
{
"logging": {
"formats": [
{
"name": "welf",
"format": "id=firewall time=\"%<cqtd> %<cqtt>\" fw=%<phn> pri=6 proto=%<cqus> duration=%<ttmsf> sent=%<psql> rcvd=%<cqhl> src=%<chi> dst=%<shi> dstname=%<shn> user=%<caun> op=%<cqhm> arg=\"%<cqup>\" result=%<pssc> ref=\"%<{Referer}cqh>\" agent=\"%<{user-agent}cqh>\" cache=%<crc>"
},
{
"name": "squid_seconds_only_timestamp",
"format": "%<cqts> %<ttms> %<chi> %<crc>/%<pssc> %<psql> %<cqhm> %<cquc> %<caun> %<phr>/%<shn> %<psct>"
},
{
"name": "squid",
"format": "%<cqtq> %<ttms> %<chi> %<crc>/%<pssc> %<psql> %<cqhm> %<cquc> %<caun> %<phr>/%<shn> %<psct>"
},
{
"name": "common",
"format": "%<chi> - %<caun> [%<cqtn>] \"%<cqtx>\" %<pssc> %<pscl>"
},
{
"name": "extended",
"format": "%<chi> - %<caun> [%<cqtn>] \"%<cqtx>\" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts>"
},
{
"name": "extended2",
"format": "%<chi> - %<caun> [%<cqtn>] \"%<cqtx>\" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts> %<phr> %<cfsc> %<pfsc> %<crc>"
}
],
"logs": [
{
"filename": "squid",
"format": "squid",
"mode": "binary"
}
]
}
}