Loading nixos/modules/services/web-servers/varnish/default.nix +44 −39 Original line number Diff line number Diff line Loading @@ -5,65 +5,80 @@ ... }: with lib; let cfg = config.services.varnish; # Varnish has very strong opinions and very complicated code around handling # the stateDir. After a lot of back and forth, we decided that we a) # do not want a configurable option here, as most of the handling depends # on the version and the compile time options. Putting everything into # /var/run (RAM backed) is absolutely recommended by Varnish anyways. # We do need to pay attention to the version-dependend variations, though! stateDir = if (lib.versionOlder cfg.package.version "7") # Remove after Varnish 6.0 is gone. In 6.0 varnishadm always appends the # hostname (by default) and can't be nudged to not use any name. This has # long changed by 7.5 and can be used without the host name. then "/var/run/varnish/${config.networking.hostName}" # Newer varnish uses this: else "/var/run/varnishd"; commandLine = "-f ${pkgs.writeText "default.vcl" cfg.config}" + optionalString (cfg.extraModules != [ ]) lib.optionalString (cfg.extraModules != [ ]) " -p vmod_path='${ makeSearchPathOutput "lib" "lib/varnish/vmods" ([ cfg.package ] ++ cfg.extraModules) lib.makeSearchPathOutput "lib" "lib/varnish/vmods" ([ cfg.package ] ++ cfg.extraModules) }' -r vmod_path"; in { imports = [ (lib.mkRemovedOptionModule [ "services" "varnish" "stateDir" ] "The `stateDir` option never was functional or useful. varnish uses compile-time settings.") ]; options = { services.varnish = { enable = mkEnableOption "Varnish Server"; enable = lib.mkEnableOption "Varnish Server"; enableConfigCheck = mkEnableOption "checking the config during build time" // { enableConfigCheck = lib.mkEnableOption "checking the config during build time" // { default = true; }; package = mkPackageOption pkgs "varnish" { }; package = lib.mkPackageOption pkgs "varnish" { }; http_address = mkOption { type = types.str; http_address = lib.mkOption { type = lib.types.str; default = "*:6081"; description = '' HTTP listen address and port. ''; }; config = mkOption { type = types.lines; config = lib.mkOption { type = lib.types.lines; description = '' Verbatim default.vcl configuration. ''; }; stateDir = mkOption { type = types.path; default = "/run/varnish/${config.networking.hostName}"; defaultText = literalExpression ''"/run/varnish/''${config.networking.hostName}"''; description = '' Directory holding all state for Varnish to run. Note that this should be a tmpfs in order to avoid performance issues and crashes. ''; }; extraModules = mkOption { type = types.listOf types.package; extraModules = lib.mkOption { type = lib.types.listOf lib.types.package; default = [ ]; example = literalExpression "[ pkgs.varnishPackages.geoip ]"; example = lib.literalExpression "[ pkgs.varnishPackages.geoip ]"; description = '' Varnish modules (except 'std'). ''; }; extraCommandLine = mkOption { type = types.str; extraCommandLine = lib.mkOption { type = lib.types.str; default = ""; example = "-s malloc,256M"; description = '' Loading @@ -74,30 +89,20 @@ in }; config = mkIf cfg.enable { config = lib.mkIf cfg.enable { systemd.services.varnish = { description = "Varnish"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; preStart = mkIf (!(lib.hasPrefix "/run/" cfg.stateDir)) '' mkdir -p ${cfg.stateDir} chown -R varnish:varnish ${cfg.stateDir} ''; postStop = mkIf (!(lib.hasPrefix "/run/" cfg.stateDir)) '' rm -rf ${cfg.stateDir} ''; serviceConfig = { Type = "simple"; PermissionsStartOnly = true; ExecStart = "${cfg.package}/sbin/varnishd -a ${cfg.http_address} -n ${cfg.stateDir} -F ${cfg.extraCommandLine} ${commandLine}"; ExecStart = "${cfg.package}/sbin/varnishd -a ${cfg.http_address} -n ${stateDir} -F ${cfg.extraCommandLine} ${commandLine}"; Restart = "always"; RestartSec = "5s"; User = "varnish"; Group = "varnish"; RuntimeDirectory = mkIf (lib.hasPrefix "/run/" cfg.stateDir) ( lib.removePrefix "/run/" cfg.stateDir ); RuntimeDirectory = lib.removePrefix "/var/run/" stateDir; AmbientCapabilities = "cap_net_bind_service"; NoNewPrivileges = true; LimitNOFILE = 131072; Loading @@ -107,7 +112,7 @@ in environment.systemPackages = [ cfg.package ]; # check .vcl syntax at compile time (e.g. before nixops deployment) system.checks = mkIf cfg.enableConfigCheck [ system.checks = lib.mkIf cfg.enableConfigCheck [ (pkgs.runCommand "check-varnish-syntax" { } '' ${cfg.package}/bin/varnishd -C ${commandLine} 2> $out || (cat $out; exit 1) '') Loading nixos/tests/all-tests.nix +1 −0 Original line number Diff line number Diff line Loading @@ -1143,6 +1143,7 @@ in { v2ray = handleTest ./v2ray.nix {}; varnish60 = handleTest ./varnish.nix { package = pkgs.varnish60; }; varnish75 = handleTest ./varnish.nix { package = pkgs.varnish75; }; varnish76 = handleTest ./varnish.nix { package = pkgs.varnish76; }; vault = handleTest ./vault.nix {}; vault-agent = handleTest ./vault-agent.nix {}; vault-dev = handleTest ./vault-dev.nix {}; Loading nixos/tests/varnish.nix +6 −2 Original line number Diff line number Diff line Loading @@ -56,8 +56,12 @@ import ./make-test-python.nix ( client.wait_until_succeeds("curl -f http://varnish/nix-cache-info"); client.wait_until_succeeds("nix-store -r ${testPath}"); client.succeed("${testPath}/bin/hello"); client.wait_until_succeeds("nix-store -r ${testPath}") client.succeed("${testPath}/bin/hello") output = varnish.succeed("varnishadm status") print(output) assert "Child in state running" in output, "Unexpected varnishadm response" ''; } ) pkgs/servers/varnish/default.nix +7 −2 Original line number Diff line number Diff line Loading @@ -54,7 +54,7 @@ let ++ lib.optional stdenv.hostPlatform.isDarwin libunwind ++ lib.optional stdenv.hostPlatform.isLinux jemalloc; buildFlags = [ "localstatedir=/var/spool" ]; buildFlags = [ "localstatedir=/var/run" ]; postPatch = '' substituteInPlace bin/varnishtest/vtc_main.c --replace /bin/rm "${coreutils}/bin/rm" Loading Loading @@ -83,7 +83,7 @@ let description = "Web application accelerator also known as a caching HTTP reverse proxy"; homepage = "https://www.varnish-cache.org"; license = licenses.bsd2; maintainers = [ ]; maintainers = lib.teams.flyingcircus.members; platforms = platforms.unix; }; }; Loading @@ -99,4 +99,9 @@ in version = "7.5.0"; hash = "sha256-/KYbmDE54arGHEVG0SoaOrmAfbsdgxRXHjFIyT/3K10="; }; # EOL 2025-09-15 varnish76 = common { version = "7.6.1"; hash = "sha256-Wpu1oUn/J4Z7VKZs4W0qS5Pt/6VHPLh8nHH3aZz4Rbo="; }; } pkgs/servers/varnish/modules.nix +4 −0 Original line number Diff line number Diff line Loading @@ -59,4 +59,8 @@ in version = "0.24.0"; hash = "sha256-2MfcrhhkBz9GyQxEWzjipdn1CBEqnCvC3t1G2YSauak="; }; modules25 = common { version = "0.25.0"; hash = "sha256-m/7moizVyvoP8xnpircAFVUqCmCfTGkgVyRc6zkdVsk="; }; } Loading
nixos/modules/services/web-servers/varnish/default.nix +44 −39 Original line number Diff line number Diff line Loading @@ -5,65 +5,80 @@ ... }: with lib; let cfg = config.services.varnish; # Varnish has very strong opinions and very complicated code around handling # the stateDir. After a lot of back and forth, we decided that we a) # do not want a configurable option here, as most of the handling depends # on the version and the compile time options. Putting everything into # /var/run (RAM backed) is absolutely recommended by Varnish anyways. # We do need to pay attention to the version-dependend variations, though! stateDir = if (lib.versionOlder cfg.package.version "7") # Remove after Varnish 6.0 is gone. In 6.0 varnishadm always appends the # hostname (by default) and can't be nudged to not use any name. This has # long changed by 7.5 and can be used without the host name. then "/var/run/varnish/${config.networking.hostName}" # Newer varnish uses this: else "/var/run/varnishd"; commandLine = "-f ${pkgs.writeText "default.vcl" cfg.config}" + optionalString (cfg.extraModules != [ ]) lib.optionalString (cfg.extraModules != [ ]) " -p vmod_path='${ makeSearchPathOutput "lib" "lib/varnish/vmods" ([ cfg.package ] ++ cfg.extraModules) lib.makeSearchPathOutput "lib" "lib/varnish/vmods" ([ cfg.package ] ++ cfg.extraModules) }' -r vmod_path"; in { imports = [ (lib.mkRemovedOptionModule [ "services" "varnish" "stateDir" ] "The `stateDir` option never was functional or useful. varnish uses compile-time settings.") ]; options = { services.varnish = { enable = mkEnableOption "Varnish Server"; enable = lib.mkEnableOption "Varnish Server"; enableConfigCheck = mkEnableOption "checking the config during build time" // { enableConfigCheck = lib.mkEnableOption "checking the config during build time" // { default = true; }; package = mkPackageOption pkgs "varnish" { }; package = lib.mkPackageOption pkgs "varnish" { }; http_address = mkOption { type = types.str; http_address = lib.mkOption { type = lib.types.str; default = "*:6081"; description = '' HTTP listen address and port. ''; }; config = mkOption { type = types.lines; config = lib.mkOption { type = lib.types.lines; description = '' Verbatim default.vcl configuration. ''; }; stateDir = mkOption { type = types.path; default = "/run/varnish/${config.networking.hostName}"; defaultText = literalExpression ''"/run/varnish/''${config.networking.hostName}"''; description = '' Directory holding all state for Varnish to run. Note that this should be a tmpfs in order to avoid performance issues and crashes. ''; }; extraModules = mkOption { type = types.listOf types.package; extraModules = lib.mkOption { type = lib.types.listOf lib.types.package; default = [ ]; example = literalExpression "[ pkgs.varnishPackages.geoip ]"; example = lib.literalExpression "[ pkgs.varnishPackages.geoip ]"; description = '' Varnish modules (except 'std'). ''; }; extraCommandLine = mkOption { type = types.str; extraCommandLine = lib.mkOption { type = lib.types.str; default = ""; example = "-s malloc,256M"; description = '' Loading @@ -74,30 +89,20 @@ in }; config = mkIf cfg.enable { config = lib.mkIf cfg.enable { systemd.services.varnish = { description = "Varnish"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; preStart = mkIf (!(lib.hasPrefix "/run/" cfg.stateDir)) '' mkdir -p ${cfg.stateDir} chown -R varnish:varnish ${cfg.stateDir} ''; postStop = mkIf (!(lib.hasPrefix "/run/" cfg.stateDir)) '' rm -rf ${cfg.stateDir} ''; serviceConfig = { Type = "simple"; PermissionsStartOnly = true; ExecStart = "${cfg.package}/sbin/varnishd -a ${cfg.http_address} -n ${cfg.stateDir} -F ${cfg.extraCommandLine} ${commandLine}"; ExecStart = "${cfg.package}/sbin/varnishd -a ${cfg.http_address} -n ${stateDir} -F ${cfg.extraCommandLine} ${commandLine}"; Restart = "always"; RestartSec = "5s"; User = "varnish"; Group = "varnish"; RuntimeDirectory = mkIf (lib.hasPrefix "/run/" cfg.stateDir) ( lib.removePrefix "/run/" cfg.stateDir ); RuntimeDirectory = lib.removePrefix "/var/run/" stateDir; AmbientCapabilities = "cap_net_bind_service"; NoNewPrivileges = true; LimitNOFILE = 131072; Loading @@ -107,7 +112,7 @@ in environment.systemPackages = [ cfg.package ]; # check .vcl syntax at compile time (e.g. before nixops deployment) system.checks = mkIf cfg.enableConfigCheck [ system.checks = lib.mkIf cfg.enableConfigCheck [ (pkgs.runCommand "check-varnish-syntax" { } '' ${cfg.package}/bin/varnishd -C ${commandLine} 2> $out || (cat $out; exit 1) '') Loading
nixos/tests/all-tests.nix +1 −0 Original line number Diff line number Diff line Loading @@ -1143,6 +1143,7 @@ in { v2ray = handleTest ./v2ray.nix {}; varnish60 = handleTest ./varnish.nix { package = pkgs.varnish60; }; varnish75 = handleTest ./varnish.nix { package = pkgs.varnish75; }; varnish76 = handleTest ./varnish.nix { package = pkgs.varnish76; }; vault = handleTest ./vault.nix {}; vault-agent = handleTest ./vault-agent.nix {}; vault-dev = handleTest ./vault-dev.nix {}; Loading
nixos/tests/varnish.nix +6 −2 Original line number Diff line number Diff line Loading @@ -56,8 +56,12 @@ import ./make-test-python.nix ( client.wait_until_succeeds("curl -f http://varnish/nix-cache-info"); client.wait_until_succeeds("nix-store -r ${testPath}"); client.succeed("${testPath}/bin/hello"); client.wait_until_succeeds("nix-store -r ${testPath}") client.succeed("${testPath}/bin/hello") output = varnish.succeed("varnishadm status") print(output) assert "Child in state running" in output, "Unexpected varnishadm response" ''; } )
pkgs/servers/varnish/default.nix +7 −2 Original line number Diff line number Diff line Loading @@ -54,7 +54,7 @@ let ++ lib.optional stdenv.hostPlatform.isDarwin libunwind ++ lib.optional stdenv.hostPlatform.isLinux jemalloc; buildFlags = [ "localstatedir=/var/spool" ]; buildFlags = [ "localstatedir=/var/run" ]; postPatch = '' substituteInPlace bin/varnishtest/vtc_main.c --replace /bin/rm "${coreutils}/bin/rm" Loading Loading @@ -83,7 +83,7 @@ let description = "Web application accelerator also known as a caching HTTP reverse proxy"; homepage = "https://www.varnish-cache.org"; license = licenses.bsd2; maintainers = [ ]; maintainers = lib.teams.flyingcircus.members; platforms = platforms.unix; }; }; Loading @@ -99,4 +99,9 @@ in version = "7.5.0"; hash = "sha256-/KYbmDE54arGHEVG0SoaOrmAfbsdgxRXHjFIyT/3K10="; }; # EOL 2025-09-15 varnish76 = common { version = "7.6.1"; hash = "sha256-Wpu1oUn/J4Z7VKZs4W0qS5Pt/6VHPLh8nHH3aZz4Rbo="; }; }
pkgs/servers/varnish/modules.nix +4 −0 Original line number Diff line number Diff line Loading @@ -59,4 +59,8 @@ in version = "0.24.0"; hash = "sha256-2MfcrhhkBz9GyQxEWzjipdn1CBEqnCvC3t1G2YSauak="; }; modules25 = common { version = "0.25.0"; hash = "sha256-m/7moizVyvoP8xnpircAFVUqCmCfTGkgVyRc6zkdVsk="; }; }
