Caddy 2: custom plugins support

[diamondburned]

There should be exposed vendorSha256 and plugins options to allow generating and compiling Caddy v2 with additional plugins.

Example:

{ services.caddy = {
	enable = true;
	vendorSha256 = "0bm80sc65ac38jhfyaig2hw6dy76gvxpdfmck3i99vg1bbigp36l";
	plugins = [
		"github.com/mholt/caddy-webdav"
	];
	config = ''
		{
			order webdav last
		}

		http://localhost:10691 {
			respond "Hello, world!"
		}

		http://localhost:10690 {
			root * /tmp/
			webdav *
			log {
				output stderr
			}
		}
	'';
}; }

[diamondburned]

Below are 2 Nix files that I have modified and wrote for personal use. It's not styled properly, and it's missing a fallback vendorSha256. But I think it can be of use.

Edited to reflect recent buildGoModule changes, mostly to do with vendoring.

Service implementation

{ config, lib, pkgs, ... }:

with lib;

let cfg = config.services.caddy;
	configFile = pkgs.writeText "caddyconfig" cfg.config;

in {
	options.services.caddy = {
		enable = mkEnableOption "Caddy web server";

		config = mkOption {
			default = "";
			example = ''
				example.com {
					gzip
					minify
					log syslog

					root /srv/http
				}
			'';
			type = types.lines;
			description = "Configuration file to use with adapter";
		};

		adapter = mkOption {
			default = "caddyfile";
			type = types.str;
			description = "Type of config given";
		};

		dataDir = mkOption {
			default = "/var/lib/caddy";
			type = types.path;
			description = ''
				The data directory, for storing certificates. Before 17.09, this
				would create a .caddy directory. With 17.09 the contents of the
				.caddy directory are in the specified data directory instead.
			'';
		};

		plugins = mkOption {
			default = [];
			type = types.listOf types.str;
			example = [
				"github.com/tarent/loginsrv/caddy"
			];
			description = "List of plugins to use";
		};

		vendorSha256 = mkOption {
			default = lib.fakeSha256;
			type = types.str;
			description = "Only fill this if custom plugins are added";
		};

		package = mkOption {
			default = (pkgs.callPackage ./default.nix {
				plugins      = cfg.plugins;
				vendorSha256 = cfg.vendorSha256;
			});
			type = types.package;
			description = "Caddy package to use.";
		};
	};

	config = mkIf cfg.enable {
		environment.systemPackages = [ cfg.package ];

		systemd.services.caddy = {
			description = "Caddy web server";
			after    = [ "network-online.target" ];
			wantedBy = [ "multi-user.target"     ];
			serviceConfig = {
				ExecStart = ''
					${cfg.package}/bin/caddy run \
						--config  ${configFile}  \
						--adapter ${cfg.adapter} \
				'';
				ExecReload = "${cfg.package} reload";
				ExecStop   = "${cfg.package} stop";
				Type  = "simple";
				User  = "caddy";
				Group = "caddy";
				Restart = "on-failure";
				StartLimitInterval = 86400;
				StartLimitBurst    = 1;
				AmbientCapabilities   = "cap_net_bind_service";
				CapabilityBoundingSet = "cap_net_bind_service";
				NoNewPrivileges = true;
				LimitNPROC  = 8192;
				LimitNOFILE = 1048576;
				PrivateTmp     = true;
				PrivateDevices = true;
				ProtectHome    = true;
				ProtectSystem  = "full";
				ReadWriteDirectories = cfg.dataDir;
			};
		};

		users.users.caddy = {
			group = "caddy";
			uid = config.ids.uids.caddy;
			home = cfg.dataDir;
			createHome = true;
		};

		users.groups.caddy.gid = config.ids.uids.caddy;
	};
}

Package file implementation

{ stdenv, lib, buildGoModule, plugins ? [], vendorSha256 ? "" }:

with lib;

let imports = flip concatMapStrings plugins (pkg: "\t\t\t_ \"${pkg}\"\n");

	main = ''
		package main
	
		import (
			caddycmd "github.com/caddyserver/caddy/v2/cmd"

			_ "github.com/caddyserver/caddy/v2/modules/standard"
${imports}
		)

		func main() {
			caddycmd.Main()
		}
	'';


in buildGoModule rec {
	pname = "caddy";
	version = "2.0.0";

	goPackagePath = "github.com/caddyserver/caddy/v2";

	subPackages = [ "cmd/caddy" ];

	src = builtins.fetchGit {
		url = "https://github.com/caddyserver/caddy.git";
		rev = "e051e119d1dff75972ed9b07cf97bbb989ba8daa";
	};

	inherit vendorSha256;

	overrideModAttrs = (_: {
		preBuild    = "echo '${main}' > cmd/caddy/main.go";
		postInstall = "cp go.sum go.mod $out/ && ls $out/";
	});

	postPatch = ''
		echo '${main}' > cmd/caddy/main.go
		cat cmd/caddy/main.go
	'';

	postConfigure = ''
		cp vendor/go.sum ./
		cp vendor/go.mod ./
	'';

	meta = with stdenv.lib; {
		homepage = https://caddyserver.com;
		description = "Fast, cross-platform HTTP/2 web server with automatic HTTPS";
		license = licenses.asl20;
		maintainers = with maintainers; [ rushmorem fpletz zimbatm ];
	};
}

[davidak]

duplicate of #14671

@diamondburned can you create a pull request?

[diamondburned]

My PR would be exposing vendorSha256; I'm not sure if that's a good idea.

[curbengh]

this can already be achieved with existing services.caddy.package.

configuration.nix

  services.caddy = {
    package = (pkgs.callPackage ./custom-caddy.nix {
      plugins = [ "github.com/tarent/loginsrv/caddy" ];
      vendorSha256 = "xxx";
    });
  };

custom-caddy.nix would be similar to the example package file given in #89268 (comment).

[curbengh]

@diamondburned I'm wondering if you have any issue on 22.11? I got this error after upgrading from 22.05, same with fresh 22.11.

building Nix...
building the system configuration...
these 6 derivations will be built:
  /nix/store/03fkqq2w1dh414vvwwj3g3387m4hcn5s-caddy-2.5.1-go-modules.drv
  /nix/store/axb34yik46f4r7jn7nc2prfil756995n-caddy-2.5.1.drv
  /nix/store/61i1rx8hyma0vk6vs1727kb0kwq8j7dl-unit-caddyServices.service.drv
...
copying path '/nix/store/krcc44294g624jah0vf778czc4j3dxk5-source' from 'https://cache.nixos.org'...
...
building '/nix/store/03fkqq2w1dh414vvwwj3g3387m4hcn5s-caddy-2.5.1-go-modules.drv'...
unpacking sources
unpacking source archive /nix/store/krcc44294g624jah0vf778czc4j3dxk5-source
source root is source
patching sources
configuring
building
go: downloading github.com/caddyserver/certmagic v0.16.1
...
github.com/caddyserver/caddy/v2/cmd/caddy imports
        github.com/mholt/caddy-webdav: no required module provides package github.com/mholt/caddy-webdav; to add it:
        go get github.com/mholt/caddy-webdav
error: builder for '/nix/store/03fkqq2w1dh414vvwwj3g3387m4hcn5s-caddy-2.5.1-go-modules.drv' failed with exit code 1
error: 1 dependencies of derivation '/nix/store/axb34yik46f4r7jn7nc2prfil756995n-caddy-2.5.1.drv' failed to build
error: 1 dependencies of derivation '/nix/store/61i1rx8hyma0vk6vs1727kb0kwq8j7dl-unit-caddyServices.service.drv' failed to build
error: 1 dependencies of derivation '/nix/store/qpmv6wij360bj4h421f15585k62y1i5w-system-units.drv' failed to build
error: 1 dependencies of derivation '/nix/store/rpsbsnp5n17ppsgq4pskals2aair0x5h-etc.drv' failed to build
error: 1 dependencies of derivation '/nix/store/4pcisn7wf3m01znlg9x37r2zknimzfvs-nixos-system-nixos-22.11.2606.2fb7d749c08.drv' failed to build

[thenbe]

Posting here since this page still shows up prominently on search results.

I struggled with this recently, and I found two workarounds that do not require setting sandbox=false.

At first I got it working by following @curbengh's guide along with the heretic's way: https://zimbatm.com/notes/nix-packaging-the-heretic-way. Essentially, that meant setting nix.settings.sandbox = relaxed, then setting __noChroot = true in the derivation.

Then I found a solution which does not require messing with sandbox settings at all: #14671 (comment).

[pathob]

Hmm, @thenbe the blog post is not available (cloudflare 502), messing with the sandbox settings should be avoided and the linked PR is just a draft.

The cleanest way in my opinion (currently) is to package a patched Caddy version with Go. This project or one of its forks show how to do that with flakes: https://github.com/pinpox/nixos-caddy-patched