From 4d988ff0d0fa772f0297b5227c343a62391cbe1c Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 25 Apr 2020 16:54:33 +0300 Subject: [PATCH 1/7] nixos/nginx: change log and cache directories --- .../services/web-servers/nginx/default.nix | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 8d49dc66eb1a..1e9cda7e4785 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -187,7 +187,7 @@ let then "/etc/nginx/nginx.conf" else configFile; - execCommand = "${cfg.package}/bin/nginx -c '${configPath}' -p '${cfg.stateDir}'"; + execCommand = "${cfg.package}/bin/nginx -c '${configPath}'"; vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost: let @@ -463,13 +463,6 @@ in ''; }; - stateDir = mkOption { - default = "/var/spool/nginx"; - description = " - Directory holding all state for nginx to run. - "; - }; - user = mkOption { type = types.str; default = "nginx"; @@ -636,6 +629,13 @@ in }; }; + imports = [ + (mkRemovedOptionModule [ "services" "nginx" "stateDir" ] '' + The Nginx log directory has been moved to /var/log/nginx, the cache directory + to /var/cache/nginx. The option services.nginx.stateDir has been removed. + '') + ]; + config = mkIf cfg.enable { # TODO: test user supplied config file pases syntax test @@ -680,12 +680,6 @@ in } ]; - systemd.tmpfiles.rules = [ - "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" - "d '${cfg.stateDir}/logs' 0750 ${cfg.user} ${cfg.group} - -" - "Z '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -" - ]; - systemd.services.nginx = { description = "Nginx Web Server"; wantedBy = [ "multi-user.target" ]; @@ -708,6 +702,12 @@ in # Runtime directory and mode RuntimeDirectory = "nginx"; RuntimeDirectoryMode = "0750"; + # Cache directory and mode + CacheDirectory = "nginx"; + CacheDirectoryMode = "0750"; + # Logs directory and mode + LogsDirectory = "nginx"; + LogsDirectoryMode = "0750"; # Capabilities AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; }; From a19800fb48b52079c55d88c9f6137f58e8d97918 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 25 Apr 2020 17:02:23 +0300 Subject: [PATCH 2/7] nginx: change logs path --- pkgs/servers/http/nginx/generic.nix | 42 ++++++++++++------- .../http/nginx/nix-skip-check-logs-path.patch | 27 ++++++++++++ pkgs/servers/http/openresty/default.nix | 7 ++-- 3 files changed, 57 insertions(+), 19 deletions(-) create mode 100644 pkgs/servers/http/nginx/nix-skip-check-logs-path.patch diff --git a/pkgs/servers/http/nginx/generic.nix b/pkgs/servers/http/nginx/generic.nix index 67a914b6a988..80bc1458ad7a 100644 --- a/pkgs/servers/http/nginx/generic.nix +++ b/pkgs/servers/http/nginx/generic.nix @@ -68,6 +68,14 @@ stdenv.mkDerivation { "--with-http_stub_status_module" "--with-threads" "--with-pcre-jit" + "--http-log-path=/var/log/nginx/access.log" + "--error-log-path=/var/log/nginx/error.log" + "--pid-path=/var/log/nginx/nginx.pid" + "--http-client-body-temp-path=/var/cache/nginx/client_body" + "--http-proxy-temp-path=/var/cache/nginx/proxy" + "--http-fastcgi-temp-path=/var/cache/nginx/fastcgi" + "--http-uwsgi-temp-path=/var/cache/nginx/uwsgi" + "--http-scgi-temp-path=/var/cache/nginx/scgi" ] ++ optionals withDebug [ "--with-debug" ] ++ optionals withStream [ @@ -99,26 +107,28 @@ stdenv.mkDerivation { preConfigure = preConfigure + concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules; - patches = map fixPatch - (singleton (substituteAll { + patches = map fixPatch ([ + (substituteAll { src = ./nix-etag-1.15.4.patch; preInstall = '' export nixStoreDir="$NIX_STORE" nixStoreDirLen="''${#NIX_STORE}" ''; - }) ++ optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ - (fetchpatch { - url = "https://raw.githubusercontent.com/openwrt/packages/master/net/nginx/patches/102-sizeof_test_fix.patch"; - sha256 = "0i2k30ac8d7inj9l6bl0684kjglam2f68z8lf3xggcc2i5wzhh8a"; - }) - (fetchpatch { - url = "https://raw.githubusercontent.com/openwrt/packages/master/net/nginx/patches/101-feature_test_fix.patch"; - sha256 = "0v6890a85aqmw60pgj3mm7g8nkaphgq65dj4v9c6h58wdsrc6f0y"; - }) - (fetchpatch { - url = "https://raw.githubusercontent.com/openwrt/packages/master/net/nginx/patches/103-sys_nerr.patch"; - sha256 = "0s497x6mkz947aw29wdy073k8dyjq8j99lax1a1mzpikzr4rxlmd"; - }) - ] ++ mapModules "patches"); + }) + ./nix-skip-check-logs-path.patch + ] ++ optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ + (fetchpatch { + url = "https://raw.githubusercontent.com/openwrt/packages/master/net/nginx/patches/102-sizeof_test_fix.patch"; + sha256 = "0i2k30ac8d7inj9l6bl0684kjglam2f68z8lf3xggcc2i5wzhh8a"; + }) + (fetchpatch { + url = "https://raw.githubusercontent.com/openwrt/packages/master/net/nginx/patches/101-feature_test_fix.patch"; + sha256 = "0v6890a85aqmw60pgj3mm7g8nkaphgq65dj4v9c6h58wdsrc6f0y"; + }) + (fetchpatch { + url = "https://raw.githubusercontent.com/openwrt/packages/master/net/nginx/patches/103-sys_nerr.patch"; + sha256 = "0s497x6mkz947aw29wdy073k8dyjq8j99lax1a1mzpikzr4rxlmd"; + }) + ] ++ mapModules "patches"); hardeningEnable = optional (!stdenv.isDarwin) "pie"; diff --git a/pkgs/servers/http/nginx/nix-skip-check-logs-path.patch b/pkgs/servers/http/nginx/nix-skip-check-logs-path.patch new file mode 100644 index 000000000000..a823660cc32e --- /dev/null +++ b/pkgs/servers/http/nginx/nix-skip-check-logs-path.patch @@ -0,0 +1,27 @@ +diff --git a/auto/install b/auto/install +index d884487..dccc411 100644 +--- a/auto/install ++++ b/auto/install +@@ -148,12 +148,6 @@ install: build $NGX_INSTALL_PERL_MODULES + || cp conf/nginx.conf '\$(DESTDIR)$NGX_CONF_PATH' + cp conf/nginx.conf '\$(DESTDIR)$NGX_CONF_PREFIX/nginx.conf.default' + +- test -d '\$(DESTDIR)`dirname "$NGX_PID_PATH"`' \\ +- || mkdir -p '\$(DESTDIR)`dirname "$NGX_PID_PATH"`' +- +- test -d '\$(DESTDIR)`dirname "$NGX_HTTP_LOG_PATH"`' \\ +- || mkdir -p '\$(DESTDIR)`dirname "$NGX_HTTP_LOG_PATH"`' +- + test -d '\$(DESTDIR)$NGX_PREFIX/html' \\ + || cp -R $NGX_HTML '\$(DESTDIR)$NGX_PREFIX' + END +@@ -161,9 +155,6 @@ END + + if test -n "$NGX_ERROR_LOG_PATH"; then + cat << END >> $NGX_MAKEFILE +- +- test -d '\$(DESTDIR)`dirname "$NGX_ERROR_LOG_PATH"`' \\ +- || mkdir -p '\$(DESTDIR)`dirname "$NGX_ERROR_LOG_PATH"`' + END + + fi diff --git a/pkgs/servers/http/openresty/default.nix b/pkgs/servers/http/openresty/default.nix index 0e87b9719859..9c01cfb19e1d 100644 --- a/pkgs/servers/http/openresty/default.nix +++ b/pkgs/servers/http/openresty/default.nix @@ -16,10 +16,11 @@ callPackage ../nginx/generic.nix args rec { sha256 = "1a1la7vszv1parsnhphydblz64ffhycazncn3ividnvqg2mg735n"; }; - fixPatch = patch: - runCommand "openresty-${patch.name}" { src = patch; } '' + fixPatch = patch: let name = patch.name or (builtins.baseNameOf patch); in + runCommand "openresty-${name}" { src = patch; } '' substitute $src $out \ - --replace "src/" "bundle/nginx-${nginxVersion}/src/" + --replace "a/" "a/bundle/nginx-${nginxVersion}/" \ + --replace "b/" "b/bundle/nginx-${nginxVersion}/" ''; buildInputs = [ postgresql ]; From 1d71150c73bd3ee3a427950b4c8f29b5a7be060f Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 25 Apr 2020 17:02:57 +0300 Subject: [PATCH 3/7] tengine: add ETag patch --- pkgs/servers/http/tengine/default.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/http/tengine/default.nix b/pkgs/servers/http/tengine/default.nix index 1593ad0c06f6..41a913bd61ec 100644 --- a/pkgs/servers/http/tengine/default.nix +++ b/pkgs/servers/http/tengine/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchFromGitHub, openssl, zlib, pcre, libxml2, libxslt -, gd, geoip, gperftools, jemalloc +, substituteAll, gd, geoip, gperftools, jemalloc , withDebug ? false , withMail ? false , withStream ? false @@ -24,7 +24,12 @@ stdenv.mkDerivation rec { [ openssl zlib pcre libxml2 libxslt gd geoip gperftools jemalloc ] ++ concatMap (mod: mod.inputs or []) modules; - patches = [ + patches = singleton (substituteAll { + src = ../nginx/nix-etag-1.15.4.patch; + preInstall = '' + export nixStoreDir="$NIX_STORE" nixStoreDirLen="''${#NIX_STORE}" + ''; + }) ++ [ ./check-resolv-conf.patch ]; From 98e0cba4690d8034e4846ee5f36d2ddf68bb4ea3 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 25 Apr 2020 17:05:01 +0300 Subject: [PATCH 4/7] tengine: change logs path --- pkgs/servers/http/tengine/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/servers/http/tengine/default.nix b/pkgs/servers/http/tengine/default.nix index 41a913bd61ec..f3cae597ef9e 100644 --- a/pkgs/servers/http/tengine/default.nix +++ b/pkgs/servers/http/tengine/default.nix @@ -31,6 +31,7 @@ stdenv.mkDerivation rec { ''; }) ++ [ ./check-resolv-conf.patch + ../nginx/nix-skip-check-logs-path.patch ]; configureFlags = [ @@ -58,6 +59,14 @@ stdenv.mkDerivation rec { "--with-poll_module" "--with-google_perftools_module" "--with-jemalloc" + "--http-log-path=/var/log/nginx/access.log" + "--error-log-path=/var/log/nginx/error.log" + "--pid-path=/var/log/nginx/nginx.pid" + "--http-client-body-temp-path=/var/cache/nginx/client_body" + "--http-proxy-temp-path=/var/cache/nginx/proxy" + "--http-fastcgi-temp-path=/var/cache/nginx/fastcgi" + "--http-uwsgi-temp-path=/var/cache/nginx/uwsgi" + "--http-scgi-temp-path=/var/cache/nginx/scgi" ] ++ optionals withDebug [ "--with-debug" ] ++ optionals withMail [ From 9f099143bc025ec962c64bda651f85728643f0a2 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Mon, 27 Apr 2020 21:54:20 +0300 Subject: [PATCH 5/7] nixos/awstats: change path to nginx logs --- nixos/modules/services/logging/awstats.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/logging/awstats.nix b/nixos/modules/services/logging/awstats.nix index 5939d7808f7f..896f52302ff3 100644 --- a/nixos/modules/services/logging/awstats.nix +++ b/nixos/modules/services/logging/awstats.nix @@ -24,7 +24,7 @@ let logFile = mkOption { type = types.str; - example = "/var/spool/nginx/logs/access.log"; + example = "/var/log/nginx/access.log"; description = '' The log file to be scanned. @@ -110,7 +110,7 @@ in { "mysite" = { domain = "example.com"; - logFile = "/var/spool/nginx/logs/access.log"; + logFile = "/var/log/nginx/access.log"; }; } ''; From 7b368b30727d3970bc26f1d598eda8261f962d83 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Mon, 27 Apr 2020 22:07:13 +0300 Subject: [PATCH 6/7] nixos/tests/service-runner: change paths to nginx logs and cache --- nixos/tests/service-runner.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/tests/service-runner.nix b/nixos/tests/service-runner.nix index adb3fcd36d7a..39ae66fe1116 100644 --- a/nixos/tests/service-runner.nix +++ b/nixos/tests/service-runner.nix @@ -23,7 +23,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { machine.fail(f"curl {url}") machine.succeed( """ - mkdir -p /run/nginx /var/spool/nginx/logs + mkdir -p /run/nginx /var/log/nginx /var/cache/nginx ${nodes.machine.config.systemd.services.nginx.runner} & echo $!>my-nginx.pid """ From 2d8d8415c0c780307bcff62d1ba63f7ada46d1cb Mon Sep 17 00:00:00 2001 From: Izorkin Date: Mon, 27 Apr 2020 22:16:14 +0300 Subject: [PATCH 7/7] nixos/nginx: add release notes --- nixos/doc/manual/release-notes/rl-2009.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index c6a766cc045a..d9f26f668f8c 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -277,6 +277,13 @@ php.override { + + + The Nginx log directory has been moved to /var/log/nginx, the cache directory + to /var/cache/nginx. The option services.nginx.stateDir has + been removed. + + The httpd web server previously started its main process as root