@zimbatm how familiar are you with nginx configuration on NixOS? I'm adding a locations option to the httpd service, which is pretty much a copy+paste of the nginx code. Due to the differences in httpd and nginx configuration I figure a locations option won't be sufficient, and a directories option will be required too.

Thanks to your explanation of unsafeDiscardStringContext I'm now trying to decide if a directories option is "worth it" or not. I think overall it is, though maybe with some documented caveats.

A simple example of using directories safely with no problem:

services.httpd = {
  enable = true;
  virtualHosts.localhost = {
    directories."/var/www" = {
      alias = "/";
      index = "index.html";
      extraConfig = "Require all granted";
    };
  };
};

An example which might not be so safe:

services.httpd = {
  enable = true;
  virtualHosts.localhost = {
    directories."${builtins.unsafeDiscardStringContext pkgs.someWebApp}" = {
      alias = "/";
      index = "index.html";
      extraConfig = "Require all granted";
    };
  };
};

Usually web app modules will reference pkg.someWebApp elsewhere in the module, so practically speaking this probably isn't an issue.

I appreciate any and all feedback @zimbatm. Thanks!

Avoid using unsafeDiscardStringContext unless you can prove that it will work as intended. For example in your second example, because the only reference to pkgs.someWebApp is without context, nixos-rebuild switch won't build pkgs.someWebApp and the httpd config will be left with a dangling reference in there. So it's quite risky.

Probably the best approach is to copy the nginx model and have a set of HTTP aliases that map back to roots. Collect all the roots into a list and then generate the read-only directory entries.

I'm not familiar with nginx so I'll have to do some research. Thank you for your advice!

@zimbatm I've looked through nginx documentation and understand what it is doing more specifically now. The approaches taken by the two web servers are fundamentally different it appears. With httpd you should never manage permissions with Location directives, only Directory directives. Not all Directory directives have one-to-one virtual mappings, so this doesn't quite line up with only a locations option.

A quick example of where generating both Directory and Location directives from a single virtualHosts.<name>.locations option would fall short:

DocumentRoot /var/www
<Directory /var/www>
  Require valid-user
</Directory>

With httpd you want to be able to specify real file level paths without having to specify a virtual mapping and this is why I continue to think that a directories option is appropriate. I guess the question becomes: is there a better way to implement a directories option than I have, that doesn't depend on unsafeDiscardStringContext 🤔

As always, feedback is greatly appreciated. Thanks!

Fundamentally we are trying to map the httpd config format to JSON-like data structures. I don't remember the syntax well enough but I think it's not completely straight-forward. Which is why the current state of the art is to write the config by hand.

Try and take a look at the syntax and thing how it could be represented in pure nix data.

Alternatively the directories could also be transformed into lists to bypass that specific problem:

services.httpd = {
  // A list of directory configs
  virtualHosts.localhost.directories = [
    {
      path = pkgs.someWebApp;
      alias = "/";
      index = "index.html";
      extraConfig = "Require all granted";
    };
  ];
};

@zimbatm part of the problem I'm trying to solve is making directories and locations able to merge. The httpd already has a list of directories. Once you declare a directory in a list it can't be accessed and modified, or merged with something else.

What should happen if two different modules set values for the same location? Should they merge, fail or the last one wins? Potentially this could be handled by a filter operation after the fact.

I would expect some merging and mkForce semantics. extraConfig is lines so merge by default. index, etc... are nullOr so I imagine in many cases nothing required as its mostly extraConfig you want to modify.

extraConfig = "Require all granted" -> extraConfig = "Require valid-user, for example.

@zimbatm I'm not satisfied I have the best answer for directories yet, so leaving that out for now and just going ahead with locations.

Look good?

@GrahamcOfBorg test upnp

🤷‍♂️