nixos/invoiceplane: Don't force http with Caddy

2026-06-05 21:03:40 +00:00 · 2025-01-05 19:01:08 +01:00
parent 8f3f3cf13d
commit 93ef567fce
3 changed files with 24 additions and 10 deletions
--- a/nixos/doc/manual/release-notes/rl-2605.section.md
+++ b/nixos/doc/manual/release-notes/rl-2605.section.md
@@ -200,6 +200,10 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
  - `nextcloud31` is EOL and was thus removed.
  - Please note that an upgrade from v31 (or older) to v33 directly is not possible. Please upgrade to `nextcloud32` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud32;`](#opt-services.nextcloud.package).

+- InvoicePlane with the Caddy webserver (`services.invoiceplane.webserver = "caddy"`) now sets up sites with Caddy's automatic HTTPS instead of HTTP-only.
+  To keep the old behavior for a site `example.com`, set `services.caddy.virtualHosts."example.com".hostName = "http://example.com"`.
+  If you set custom Caddy options for a InvoicePlane site, migrate these options by removing `http://` from `services.caddy.virtualHosts."http://example.com"`.
+
 - `services.slurm` now supports slurmrestd usage through the `services.slurm.rest` NixOS options.

 - `services.kanidm` options for server, client and unix were moved under dedicated namespaces.
--- a/nixos/modules/services/web-apps/invoiceplane.nix
+++ b/nixos/modules/services/web-apps/invoiceplane.nix
@@ -441,7 +441,7 @@ in
        enable = true;
        virtualHosts = mapAttrs' (
          hostName: cfg:
-          (nameValuePair "http://${hostName}" {
+          (nameValuePair hostName {
            extraConfig = ''
              root * ${pkg hostName cfg}
              file_server
--- a/nixos/tests/invoiceplane.nix
+++ b/nixos/tests/invoiceplane.nix
@@ -26,7 +26,17 @@
          };
        };

-        networking.firewall.allowedTCPPorts = [ 80 ];
+        services.caddy.virtualHosts."site1.local".extraConfig = ''
+          tls internal
+        '';
+        services.caddy.virtualHosts."site2.local".extraConfig = ''
+          tls internal
+        '';
+
+        networking.firewall.allowedTCPPorts = [
+          80
+          443
+        ];
        networking.hosts."127.0.0.1" = [
          "site1.local"
          "site2.local"
@@ -76,41 +86,41 @@
          machine.wait_for_unit(f"phpfpm-invoiceplane-{site_name}")

          with subtest("Website returns welcome screen"):
-              assert "Please install InvoicePlane" in machine.succeed(f"curl -L {site_name}")
+              assert "Please install InvoicePlane" in machine.succeed(f"curl -sSfkL {site_name}")

          with subtest("Finish InvoicePlane setup"):
            machine.succeed(
-              f"curl -sSfL --cookie-jar cjar {site_name}/setup/language"
+              f"curl -sSfkL --cookie-jar cjar {site_name}/setup/language"
            )
            csrf_token = machine.succeed(
              "grep ip_csrf_cookie cjar | cut -f 7 | tr -d '\n'"
            )
            machine.succeed(
-              f"curl -sSfL --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&ip_lang=english&btn_continue=Continue' {site_name}/setup/language"
+              f"curl -sSfkL --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&ip_lang=english&btn_continue=Continue' {site_name}/setup/language"
            )
            csrf_token = machine.succeed(
              "grep ip_csrf_cookie cjar | cut -f 7 | tr -d '\n'"
            )
            machine.succeed(
-              f"curl -sSfL --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&btn_continue=Continue' {site_name}/setup/prerequisites"
+              f"curl -sSfkL --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&btn_continue=Continue' {site_name}/setup/prerequisites"
            )
            csrf_token = machine.succeed(
              "grep ip_csrf_cookie cjar | cut -f 7 | tr -d '\n'"
            )
            machine.succeed(
-              f"curl -sSfL --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&btn_continue=Continue' {site_name}/setup/configure_database"
+              f"curl -sSfkL --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&btn_continue=Continue' {site_name}/setup/configure_database"
            )
            csrf_token = machine.succeed(
              "grep ip_csrf_cookie cjar | cut -f 7 | tr -d '\n'"
            )
            machine.succeed(
-              f"curl -sSfl --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&btn_continue=Continue' {site_name}/setup/install_tables"
+              f"curl -sSfkl --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&btn_continue=Continue' {site_name}/setup/install_tables"
            )
            csrf_token = machine.succeed(
              "grep ip_csrf_cookie cjar | cut -f 7 | tr -d '\n'"
            )
            machine.succeed(
-              f"curl -sSfl --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&btn_continue=Continue' {site_name}/setup/upgrade_tables"
-            )
+              f"curl -sSfkl --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&btn_continue=Continue' {site_name}/setup/upgrade_tables"
+          )
  '';
 }