nixos/caddy: Fix default log file for http:// hostnames

[lluchs]

Caddy hostnames can begin with http:// to disable automatic HTTPS. The default value for services.caddy.<host>.logFormat puts the hostname in the log filename, resulting in a broken path.

Since version 2.9.0 (commit 7c52e7a), caddy fails to start if it cannot open the log file. This caused NixOS test failures (e.g., nixosTests.dokuwiki).

See also #327743

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[lluchs]

This fixes nixosTests.dokuwiki, but I could not run nixosTests.caddy due to an unrelated error:

error: hash mismatch in fixed-output derivation '/nix/store/421acz3c6hwrvw28fllk92674f0cj8wh-caddy-src-with-plugins-9b8196a94dcec133c627ba33c9910da7-2.9.0.drv':                                                                                               
         specified: sha256-zgMdtOJbmtRSfTlrrg8njr11in2C7OAXLB+34V23jek=                                                                                                                                                                                        
            got:    sha256-BorJJWICgAWU7DrpDZJWifMnIYtGWldt/4S1VELwGJI=                                                                                                                                                                                        
error: 1 dependencies of derivation '/nix/store/pkn3asmczdcjb07cqssn9y63vgbjc1ja-caddy-2.9.0.drv' failed to build                                                                                                                                              
error: 1 dependencies of derivation '/nix/store/sdmx72030mqswj5i9sjrrmp4mny033d4-system-generators.drv' failed to build                                                                                                                                        
error: 1 dependencies of derivation '/nix/store/7dbcrs3hbwsn87nd6x77lcadi74gg3lx-etc.drv' failed to build                                                                                                                                                      
error: 1 dependencies of derivation '/nix/store/y6vbpmy6dnm1vy5ag8wjj7kj3f119m7i-nixos-system-webserver-test.drv' failed to build
error: 1 dependencies of derivation '/nix/store/gi6g9gqa1sv2sa56cvqwmxaq52487hjh-nixos-system-webserver-test.drv' failed to build
error: 1 dependencies of derivation '/nix/store/74vsg9zjyjcxyh0dkdszmxil6kbkjcqk-nixos-test-driver-caddy.drv' failed to build
error: 1 dependencies of derivation '/nix/store/5avv3aqkgipqpnkigbhgv2id215nrw75-vm-test-run-caddy.drv' failed to build

[stepbrobd]

Might be relevant: caddyserver/caddy#6766

I could not run nixosTests.caddy due to an unrelated error

This might be caused by

nixpkgs/nixos/tests/caddy.nix

Line 73 in 5634f52

hash = "sha256-zgMdtOJbmtRSfTlrrg8njr11in2C7OAXLB+34V23jek=";

I added this tests to ensure caddy with plugins don't regress overtime, but it seems that we need to update this hash every time there's been an update. The test was able to successfully run for that update PR because of the hash didn't change and it just used the cached version...

[stepbrobd]

IIRC we can also force proxied endpoint to use https by prefixing the hostname with https:// right? Would it be better if we remove https:// or http:// all together? I don't really have a preference here, I just want to hear your thoughts on this

[lluchs]

You're right. That would give us nicer filenames for sure. If someone defines http://example.com and https://example.com, both of them would go to access-example.com.log (does Caddy open the file twice then and does it do proper locking? - edit: looks like it deduplicates loggers by file name here). A catch-all written as just https:// is apparently also allowed and would be access-.log then.

I'm open for both options. We really just need a default that works, since it's very easy to provide a custom log file name anyways.

[stepbrobd]

Let's go with the current version. Could you also fix the hash mismatch and see if the test runs?

[lluchs]

Sure. With the fixed hash, the test runs fine.

[lluchs]

@onny pointed me to the discussion in #309908 where it was pointed out that multiple space-separated hostnames are also allowed by Caddy. I added a fix and a test for that here as well.

[stepbrobd]

multiple space-separated hostnames are also allowed by Caddy

this is new to me 🤣 both caddy and dokuwiki tests pass