New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/haproxy: check conf on build #109250
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please change the PR and commit message title to nixos/haproxy: check conf on build
or similar.
ping @symphorien @Ma27 |
@SuperSandro2000 Anything else needs to be revised? I am not sure about the editorConfig test tho: I intended to leave an extra newline when generating before appending user config. |
@NeverBehave please review this PR: #62853 |
I'm not familiar with haproxy. Does it check that paths like certificates http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#ca-file%20%28Bind%20options%29 exist during the configuration check ? If this is the case, the test will fail in the sandbox and there should be an option to disable checking (off by default). Disabling the check is also probably necessary if someone ever wants to cross compile a full nixos system with haproxy. All those concerns are theoretical, they may or may not refer to realistic use cases. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to the failing test there is trailing whitespace somewhere. Please remove it.
@@ -3,12 +3,15 @@ | |||
let | |||
cfg = config.services.haproxy; | |||
|
|||
haproxyCfg = pkgs.writeText "haproxy.conf" '' | |||
haproxyCfg = pkgs.runCommand "haproxy.conf" { CONFIG=cfg.config; } '' | |||
cat > $out <<EOF |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be quoted, otherwise parameter expansion and command substitution will be applied in the heredoc, see https://www.gnu.org/software/bash/manual/bash.html#Here-Documents
cat > $out <<EOF | |
cat > $out <<'EOF' |
|
||
${cfg.config} | ||
|
||
EOF | ||
echo "$CONFIG" >> $out |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the point of this change actually?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wanna separate the hard coded config with the user config, but yeah I think they could go together in the same doc part.
From the manual it said “Only checks config file and exits with code 0 if no error was found, or exits with code 1 if a syntax error was found.” I believe only syntax error will fail the build, where the path won’t be touch during validation. I didn’t thought about that at first so I would give it a shot. |
Well it looks like that the certificate file will be checked. Then I think it is better to keep it away from the sandbox for now. Thanks for pointing this out. |
Motivation for this change
Current services will continue deploying configuration even though config may contain syntax errors. This pull request check config syntax on build which makes it easier to notice errors.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)