varnish,nixos/varnish: expose stateDir from package to module

Unfortunately, Vinyl Cache has decided to change the default state dir
in a patch release. As this is a compile-time constant, we
- now explicitly provide a well-chosen stateDir in the package
- basically keep the stateDir as is, beacuse /var/run/ is a symlink to
  /run
- expose it via passthru to the module that picks up the particular
  stateDir of the package used

Note: The patch file has been created from git, but then manually
altered Makefile.am -> Makefile.in to account for the preprocessing of
the release tarball.

nixos/modules/services/web-servers/vinyl-cache/default.nix

@@ -18,12 +18,9 @@ let
   cfg = config.services.vinyl-cache;
 
   # Vinyl Cache has very strong opinions and very complicated code around handling
-  # the stateDir. After a lot of back and forth, we decided that we a)
-  # do not want a configurable option here, as most of the handling depends
-  # on the version and the compile time options. Putting everything into
-  # /var/run (RAM backed) is absolutely recommended by Vinyl Cache anyways.
-  # We do need to pay attention to the version-dependend variations, though!
-  stateDir = "/var/run/vinyld";
+  # the stateDir. After a lot of back and forth, we decided to set the stateDir
+  # at compile time and let the package expose the particular path as passthru.
+  stateDir = cfg.package.stateDir;
 
   # from --help:
   #   -a [<name>=]address[:port][,proto] # HTTP listen address and port
@@ -183,13 +180,13 @@ in
         after = [ "network.target" ];
         serviceConfig = {
           Type = "simple";
-          ExecStart = "${cfg.package}/bin/vinyld ${commandLineAddresses} -n ${stateDir} -F ${cfg.extraCommandLine} ${commandLine}";
+          ExecStart = "${cfg.package}/bin/vinyld ${commandLineAddresses} -F ${cfg.extraCommandLine} ${commandLine}";
           Restart = "always";
           RestartSec = "5s";
           User = "vinyl-cache";
           Group = "vinyl-cache";
           DynamicUser = true;
-          RuntimeDirectory = lib.removePrefix "/var/run/" stateDir;
+          RuntimeDirectory = lib.removePrefix "/run/" stateDir;
           AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
           NoNewPrivileges = true;
           LimitNOFILE = 131072;
@@ -221,6 +218,10 @@ in
             assertion = cfg.package.pname == "vinyl-cache";
             message = "services.vinyl-cache only supports Vinyl Cache. Please use services.varnish.";
           }
+          {
+            assertion = lib.strings.hasPrefix "/run/" stateDir;
+            message = "The vinyl-cache NixOS mosule only supports statedirs in /run/, but vinyl-cache package was compiled with ${stateDir}.";
+          }
         ];
     })
     (lib.mkIf (cfg.enable && cfg.enableFileLogging) {

pkgs/servers/vinyl-cache/0001-Makefile-do-not-create-VINYL_STATE_DIR.patch

@@ -0,0 +1,26 @@
+From 51ee9140e547eccfae99c6ee0846b8d1023d463e Mon Sep 17 00:00:00 2001
+From: Oliver Schmidt <os@flyingcircus.io>
+Date: Tue, 19 May 2026 23:31:18 +0200
+Subject: [PATCH] Makefile: do not create VINYL_STATE_DIR
+
+In the nix expression, we continue to hardcode /var/run
+as a statedirectory. But trying to create that  top-level
+directory from within the build sandbox fails (and is
+a wrong move anyways).
+
+An upstream solution would need to be more nuanced though.
+
+diff --git a/Makefile.in b/Makefile.in
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -44,7 +44,6 @@ AM_DISTCHECK_CONFIGURE_FLAGS += --with-unwind
+ endif
+ 
+ install-data-local:
+-	$(install_sh) -d -m 0755 "${VINYL_STATE_DIR}"
+ 
+ distclean-local:
+ 	-find . '(' -name '*.gcda' -o -name '*.gcda' ')' -exec rm '{}' ';'
+-- 
+2.51.2
+

pkgs/servers/vinyl-cache/default.nix

@@ -19,6 +19,21 @@
 }:
 
 let
+  # Vinyl Cache has very strong opinions and very complicated code around handling
+  # the stateDir. After a lot of back and forth, we decided that we
+  # a) do not want a configurable option here, as most of the handling depends
+  # on the version and the compile time options.
+  # b) Vinyl Cache prefers RAM backed stateDirs due to shared memory usage.
+  # /var/run (RAM backed) is a very good fit as long as it is *not* mounted as
+  # `noexec`, which is currently not the case in NixOS but in other distros.
+  # https://code.vinyl-cache.org/vinyl-cache/vinyl-cache/issues/4477
+  # c) need to explicitly specify this at compile-time as upstream even changed
+  # defaults in a patch release.
+  # To handle potential version-dependent differences, the path is exposed to a
+  # module using the package via passthru.
+  stateDirPrefix = "/run";
+  # the actual subdirectory is created by vinyld itself within the prefix at runtime
+  stateDir = "${stateDirPrefix}/vinyld";
   generic =
     {
       version,
@@ -60,10 +75,12 @@ let
         "ac_cv_have_tcp_fastopen=yes"
         "ac_cv_have_tcp_keep=yes"
         "ac_cv_have_working_close_range=yes"
+
         "PYTHON=${buildPackages.python3.interpreter}"
+        "--with-statedir=${stateDirPrefix}"
       ];
 
-      buildFlags = [ "localstatedir=/var/run" ];
+      patches = [ ./0001-Makefile-do-not-create-VINYL_STATE_DIR.patch ];
 
       postPatch = ''
         substituteInPlace bin/vinyltest/vtest2/src/vtc_main.c --replace-fail /bin/rm "${coreutils}/bin/rm"
@@ -109,6 +126,8 @@ let
       passthru = {
         python = python3;
         tests = nixosTests."vinyl-cache_${lib.versions.major version}";
+        # pass-thru compile-time value for usage in module
+        inherit stateDir;
       };
 
       meta = {