Replace caddy with nginx
Before this commit, we used Caddy. Here's what was needed to make that setup go:
- As we needed the layer4 plugin, we had to compile caddy with layer4 using an
unsupported technique in nix
- As the layer4 plugin did not support caddyfile, we had to use caddy.json
- We wrote some nix code to setup reverse proxy routes easily however this was
a challenge to reasonably maintain, and caddy.json is far
less-well-documented than caddyfile leading to a significant amount of pain
if we ever needed to break out
- Several modules in NixOS use nginx by default (privatebin, nextcloud etc.), we
need to disable and then replicate their setup. This is often nontrivial
Nginx has some distinct advantages for Clicks specifically on NixOS:
- "Streams" are supported Out-Of-The box, meaning no layer4 plugin
- Nginx has a standard nixified interface for virtual hosts, meaning there's no
breaking out into nginx config for http
- Note how you may still have to break out for TCP/UDP streams
- Nginx configurations, including relatively complex ones (e.g. nextcloud) are
often included with modules by default. Choosing nginx will avoid us rewriting
these, as well as all the pain and debugging that comes with that
Additionally:
- Nginx has excellent integration with the builtin ACME module. I am satisfied
with its ability to replace caddy on that front
- A major point in the favor of caddy is usability. Unfortunately, this really
only seems to apply to caddyfile with caddy.json being significantly more
cumbersome to write, even with nix helper functions
- It is trivial to write some simple but decent helper functions for nginx
Alternatives considered:
- Stick with caddy
- Too much maintenance burden
- We struggle to update it frequently, due to the plugin install bits
- Use traefik
- From a short look, it's too complex for our needs
- It doesn't have configs built into nix in the same way as nginx
- Use apache2
- Apache has no analogue to nginx streams
- It doesn't have configs built into nix in the same way as nginx
This commit will need a followup in future to improve the typing of the Service
type. We have a very basic implementation but it would be nice to be able to
check for types that are inside it rather than just the top level.
Change-Id: I25e7ba48cec6b9308e6aa9a14f57a8c192918c92
diff --git a/flake.lock b/flake.lock
index cf8678c..6dd1f0b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -54,6 +54,24 @@
"type": "github"
}
},
+ "helpers": {
+ "inputs": {
+ "nixpkgs": "nixpkgs_2"
+ },
+ "locked": {
+ "lastModified": 1697846472,
+ "narHash": "sha256-OWxoAM79X6fssw6CnlhPvxfmuoC4Aq4PX+0aYv/ONBQ=",
+ "ref": "refs/heads/main",
+ "rev": "5c7ee827fd35a9b2e489e919796f73536788c483",
+ "revCount": 11,
+ "type": "git",
+ "url": "https://git.clicks.codes/Clicks/NixHelpers"
+ },
+ "original": {
+ "type": "git",
+ "url": "https://git.clicks.codes/Clicks/NixHelpers"
+ }
+ },
"home-manager": {
"inputs": {
"nixpkgs": [
@@ -141,6 +159,20 @@
},
"nixpkgs_2": {
"locked": {
+ "lastModified": 1697688401,
+ "narHash": "sha256-61QlajY7R9PbK25uFl55zh968CVNspwXX1zzimic4Uo=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "458ef9126aa380996d77d44f53f886c2d8485f53",
+ "type": "github"
+ },
+ "original": {
+ "id": "nixpkgs",
+ "type": "indirect"
+ }
+ },
+ "nixpkgs_3": {
+ "locked": {
"lastModified": 1693428224,
"narHash": "sha256-FWUUlhYqkGEySUD0blTADRiDQ7fw+H1ikivfu88uy+w=",
"owner": "nixos",
@@ -159,8 +191,9 @@
"inputs": {
"deploy-rs": "deploy-rs",
"flake-utils": "flake-utils",
+ "helpers": "helpers",
"home-manager": "home-manager",
- "nixpkgs": "nixpkgs_2",
+ "nixpkgs": "nixpkgs_3",
"nixpkgs-clicksforms": "nixpkgs-clicksforms",
"nixpkgs-privatebin": "nixpkgs-privatebin",
"scalpel": "scalpel",