pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #205561 from symphorien/nginx-conf-validate

nixos/nginx: validate config at build time

Guillaume Girol 92dbac31 adf346ae

options
unified split
Changed files
+57 -4
nixos
doc
manual
from_md
release-notes
rl-2305.section.xml
release-notes
rl-2305.section.md
modules
services
web-servers
nginx
default.nix
tests
nginx.nix
+10
nixos/doc/manual/from_md/release-notes/rl-2305.section.xml 
···

       
140

       
140

       
 

       
      </listitem>


     

       
141

       
141

       
 

       
      <listitem>


     

       
142

       
142

       
 

       
        <para>


     

       

       
143

       
+

       
          The Nginx module now validates the syntax of config files at


     

       

       
144

       
+

       
          build time. For more complex configurations (using


     

       

       
145

       
+

       
          <literal>include</literal> with out-of-store files notably)


     

       

       
146

       
+

       
          you may need to disable this check by setting


     

       

       
147

       
+

       
          <link linkend="opt-services.nginx.validateConfig">services.nginx.validateConfig</link>


     

       

       
148

       
+

       
          to <literal>false</literal>.


     

       

       
149

       
+

       
        </para>


     

       

       
150

       
+

       
      </listitem>


     

       

       
151

       
+

       
      <listitem>


     

       

       
152

       
+

       
        <para>


     

       
143

       
153

       
 

       
          The EC2 image module previously detected and automatically


     

       
144

       
154

       
 

       
          mounted ext3-formatted instance store devices and partitions


     

       
145

       
155

       
 

       
          in stage-1 (initramfs), storing <literal>/tmp</literal> on the
+2
nixos/doc/manual/release-notes/rl-2305.section.md 
···

       
43

       
43

       
 

       



     

       
44

       
44

       
 

       
- The [services.unifi-video.openFirewall](#opt-services.unifi-video.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall.


     

       
45

       
45

       
 

       



     

       

       
46

       
+

       
- The Nginx module now validates the syntax of config files at build time. For more complex configurations (using `include` with out-of-store files notably) you may need to disable this check by setting [services.nginx.validateConfig](#opt-services.nginx.validateConfig) to `false`.


     

       

       
47

       
+

       



     

       
46

       
48

       
 

       
- The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2.


     

       
47

       
49

       
 

       



     

       
48

       
50

       
 

       
- The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation.
+44 -3
nixos/modules/services/web-servers/nginx/default.nix 
···

       
241

       
241

       
 

       



     

       
242

       
242

       
 

       
  configPath = if cfg.enableReload


     

       
243

       
243

       
 

       
    then "/etc/nginx/nginx.conf"


     

       
244

       

       
-

       
    else configFile;


     

       

       
244

       
+

       
    else finalConfigFile;


     

       
245

       
245

       
 

       



     

       
246

       
246

       
 

       
  execCommand = "${cfg.package}/bin/nginx -c '${configPath}'";


     

       
247

       
247

       
 

       



     
···

       
393

       
393

       
 

       
  );


     

       
394

       
394

       
 

       



     

       
395

       
395

       
 

       
  mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix;


     

       

       
396

       
+

       



     

       

       
397

       
+

       
  snakeOilCert = pkgs.runCommand "nginx-config-validate-cert" { nativeBuildInputs = [ pkgs.openssl.bin ]; } ''


     

       

       
398

       
+

       
    mkdir $out


     

       

       
399

       
+

       
    openssl genrsa -des3 -passout pass:xxxxx -out server.pass.key 2048


     

       

       
400

       
+

       
    openssl rsa -passin pass:xxxxx -in server.pass.key -out $out/server.key


     

       

       
401

       
+

       
    openssl req -new -key $out/server.key -out server.csr \


     

       

       
402

       
+

       
    -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"


     

       

       
403

       
+

       
    openssl x509 -req -days 1 -in server.csr -signkey $out/server.key -out $out/server.crt


     

       

       
404

       
+

       
  '';


     

       

       
405

       
+

       
  validatedConfigFile = pkgs.runCommand "validated-nginx.conf" { nativeBuildInputs = [ cfg.package ]; } ''


     

       

       
406

       
+

       
    # nginx absolutely wants to read the certificates even when told to only validate config, so let's provide fake certs


     

       

       
407

       
+

       
    sed ${configFile} \


     

       

       
408

       
+

       
    -e "s|ssl_certificate .*;|ssl_certificate ${snakeOilCert}/server.crt;|g" \


     

       

       
409

       
+

       
    -e "s|ssl_trusted_certificate .*;|ssl_trusted_certificate ${snakeOilCert}/server.crt;|g" \


     

       

       
410

       
+

       
    -e "s|ssl_certificate_key .*;|ssl_certificate_key ${snakeOilCert}/server.key;|g" \


     

       

       
411

       
+

       
    > conf


     

       

       
412

       
+

       



     

       

       
413

       
+

       
    LD_PRELOAD=${pkgs.libredirect}/lib/libredirect.so \


     

       

       
414

       
+

       
      NIX_REDIRECTS="/etc/resolv.conf=/dev/null" \


     

       

       
415

       
+

       
      nginx -t -c $(readlink -f ./conf) > out 2>&1 || true


     

       

       
416

       
+

       
    if ! grep -q "syntax is ok" out; then


     

       

       
417

       
+

       
      echo nginx config validation failed.


     

       

       
418

       
+

       
      echo config was ${configFile}.


     

       

       
419

       
+

       
      echo 'in case of false positive, set `services.nginx.validateConfig` to false.'


     

       

       
420

       
+

       
      echo nginx output:


     

       

       
421

       
+

       
      cat out


     

       

       
422

       
+

       
      exit 1


     

       

       
423

       
+

       
    fi


     

       

       
424

       
+

       
    cp ${configFile} $out


     

       

       
425

       
+

       
  '';


     

       

       
426

       
+

       



     

       

       
427

       
+

       
  finalConfigFile = if cfg.validateConfig then validatedConfigFile else configFile;


     

       
396

       
428

       
 

       
in


     

       
397

       
429

       
 

       



     

       
398

       
430

       
 

       
{


     
···

       
488

       
520

       
 

       
          Nginx package to use. This defaults to the stable version. Note


     

       
489

       
521

       
 

       
          that the nginx team recommends to use the mainline version which


     

       
490

       
522

       
 

       
          available in nixpkgs as `nginxMainline`.


     

       

       
523

       
+

       
        '';


     

       

       
524

       
+

       
      };


     

       

       
525

       
+

       



     

       

       
526

       
+

       
      validateConfig = mkOption {


     

       

       
527

       
+

       
        default = pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform;


     

       

       
528

       
+

       
        defaultText = literalExpression "pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform";


     

       

       
529

       
+

       
        type = types.bool;


     

       

       
530

       
+

       
        description = lib.mdDoc ''


     

       

       
531

       
+

       
          Validate the generated nginx config at build time. The check is not very robust and can be disabled in case of false positives. This is notably the case when cross-compiling or when using `include` with files outside of the store.


     

       
491

       
532

       
 

       
        '';


     

       
492

       
533

       
 

       
      };


     

       
493

       
534

       
 

       



     
···

       
1029

       
1070

       
 

       
    };


     

       
1030

       
1071

       
 

       



     

       
1031

       
1072

       
 

       
    environment.etc."nginx/nginx.conf" = mkIf cfg.enableReload {


     

       
1032

       

       
-

       
      source = configFile;


     

       

       
1073

       
+

       
      source = finalConfigFile;


     

       
1033

       
1074

       
 

       
    };


     

       
1034

       
1075

       
 

       



     

       
1035

       
1076

       
 

       
    # This service waits for all certificates to be available


     
···

       
1048

       
1089

       
 

       
      # certs are updated _after_ config has been reloaded.


     

       
1049

       
1090

       
 

       
      before = sslTargets;


     

       
1050

       
1091

       
 

       
      after = sslServices;


     

       
1051

       

       
-

       
      restartTriggers = optionals (cfg.enableReload) [ configFile ];


     

       

       
1092

       
+

       
      restartTriggers = optionals (cfg.enableReload) [ finalConfigFile ];


     

       
1052

       
1093

       
 

       
      # Block reloading if not all certs exist yet.


     

       
1053

       
1094

       
 

       
      # Happens when config changes add new vhosts/certs.


     

       
1054

       
1095

       
 

       
      unitConfig.ConditionPathExists = optionals (sslServices != []) (map (certName: certs.${certName}.directory + "/fullchain.pem") dependentCertNames);
+1 -1
nixos/tests/nginx.nix 
···

       
61

       
61

       
 

       



     

       
62

       
62

       
 

       
      specialisation.reloadWithErrorsSystem.configuration = {


     

       
63

       
63

       
 

       
        services.nginx.package = pkgs.nginxMainline;


     

       
64

       

       
-

       
        services.nginx.virtualHosts."!@$$(#*%".locations."~@#*$*!)".proxyPass = ";;;";


     

       

       
64

       
+

       
        services.nginx.virtualHosts."hello".extraConfig = "access_log /does/not/exist.log;";


     

       
65

       
65

       
 

       
      };


     

       
66

       
66

       
 

       
    };


     

       
67

       
67

       
 

       
  };