Switch to alternative custom caddy Method

Might as well use the to-be-upstreamed alternative build:
https://github.com/NixOS/nixpkgs/pull/259275

As a bonus, this doesn't require the sandbox any more.

README.org

@@ -46,6 +46,6 @@ Deploying is simply a matter of entering the deploy nix shell =nix develop= and
 =deploy .#golgi.system=.
 
 In order for this image to be built, the sandbox will need to be set to =false= or
-=relaxed= (for the custom zsh and Caddy builds). This can  be done by adding the
+=relaxed= (for the custom zsh build). This can be done by adding the line ~sandbox = relaxed~
-line ~sandbox = relaxed~ to =/etc/nix/nix.conf=. Just note that the nix-daemon will
+to =/etc/nix/nix.conf=. Just note that the nix-daemon will need to be restarted
-need to be restarted for this new setting to take full effect.
+for this new setting to take full effect.

flake.lock

@@ -4,14 +4,15 @@
       "inputs": {
         "darwin": "darwin",
         "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
       },
       "locked": {
-        "lastModified": 1701216516,
+        "lastModified": 1703433843,
-        "narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=",
+        "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "13ac9ac6d68b9a0896e3d43a082947233189e247",
+        "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
         "type": "github"
       },
       "original": {
@@ -28,11 +29,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1673295039,
+        "lastModified": 1700795494,
-        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
         "type": "github"
       },
       "original": {
@@ -51,11 +52,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1698921442,
+        "lastModified": 1703087360,
-        "narHash": "sha256-7KmvhQ7FuXlT/wG4zjTssap6maVqeAMBdtel+VjClSM=",
+        "narHash": "sha256-0VUbWBW8VyiDRuimMuLsEO4elGuUw/nc2WDeuO1eN1M=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "660180bbbeae7d60dad5a92b30858306945fd427",
+        "rev": "b709d63debafce9f5645a5ba550c9e0983b3d1f7",
         "type": "github"
       },
       "original": {
@@ -67,11 +68,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1668681692,
+        "lastModified": 1696426674,
-        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -82,7 +83,7 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems"
+        "systems": "systems_3"
       },
       "locked": {
         "lastModified": 1694529238,
@@ -124,11 +125,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682203081,
+        "lastModified": 1703113217,
-        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
         "type": "github"
       },
       "original": {
@@ -139,11 +140,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1677676435,
+        "lastModified": 1703013332,
-        "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=",
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
         "type": "github"
       },
       "original": {
@@ -155,11 +156,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1701718080,
+        "lastModified": 1704538339,
-        "narHash": "sha256-6ovz0pG76dE0P170pmmZex1wWcQoeiomUZGggfH9XPs=",
+        "narHash": "sha256-1734d3mQuux9ySvwf6axRWZRBhtcZA9Q8eftD6EZg6U=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2c7f3c0fb7c08a0814627611d9d7d45ab6d75335",
+        "rev": "46ae0210ce163b3cba6c7da08840c1d63de9c701",
         "type": "github"
       },
       "original": {
@@ -192,13 +193,46 @@
         "type": "github"
       }
     },
-    "utils": {
+    "systems_2": {
       "locked": {
-        "lastModified": 1667395993,
+        "lastModified": 1681028828,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
         "type": "github"
       },
       "original": {

modules/caddy.nix

@@ -6,14 +6,13 @@ with lib;
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   networking.firewall.allowedUDPPorts = [ 443 ];
 
-  # If I end up wanting to add plugins, see:
-  # https://mdleom.com/blog/2021/12/27/caddy-plugins-nixos/
   services.caddy = mkMerge [
     {
       enable = true;
       package = pkgs.callPackage ../packages/caddy.nix {
-        plugins = [
+        externalPlugins = [
-          "github.com/tecosaur/caddy-fs-git"
+          {name = "caddy-fs-git"; repo = "github.com/tecosaur/caddy-fs-git";
+           version = "ef9d0ab232f4fe5d7e86312cbba45ff8afea98a1";}
         ];
       };
       virtualHosts."tecosaur.net".extraConfig = ''

packages/caddy.nix

@@ -1,37 +1,104 @@
-{ config, pkgs, plugins, ... }:
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, gnused
+, nixosTests
+, caddy
+, testers
+, installShellFiles
+, externalPlugins ? []
+, vendorHash ? "sha256-O0j6LwUQGa+NnotR2QpSIbNH+RI9y8mRrNoxbJqTw8k="
+}:
 
-with pkgs;
+let
-
+  attrsToModules = attrs:
-stdenv.mkDerivation rec {
+    builtins.map ({name, repo, version}: "${repo}") attrs;
-  # Disable the Nix build sandbox for this specific build.
+  attrsToSources = attrs:
-  # This means the build can freely talk to the Internet.
+    builtins.map ({name, repo, version}: "${repo}@${version}") attrs;
-  # Requires the sandbox to be set to false/"relaxed".
+in buildGoModule rec {
-  __noChroot = true;
   pname = "caddy";
-  # https://github.com/NixOS/nixpkgs/issues/113520
+  version = "2.7.6";
-  version = "latest";
-  dontUnpack = true;
 
-  nativeBuildInputs = [ git go xcaddy ];
+  dist = fetchFromGitHub {
+    owner = "caddyserver";
+    repo = "dist";
+    rev = "v${version}";
+    hash = "sha256-uY6MU8iXfGK6+HP2Lc+3iPE5wY35NbGp8pMZWpNVPSg=";
+  };
 
-  configurePhase = ''
+  src = fetchFromGitHub {
-    export GOCACHE=$TMPDIR/go-cache
+    owner = "caddyserver";
-    export GOPATH="$TMPDIR/go"
+    repo = "caddy";
+    rev = "v${version}";
+    hash = "sha256-th0R3Q1nGT0q5PGOygtD1/CpJmrT5TYagrwQR4t/Fvg=";
+  };
+
+  inherit vendorHash;
+
+  subPackages = [ "cmd/caddy" ];
+
+  ldflags = [
+    "-s" "-w"
+    "-X github.com/caddyserver/caddy/v2.CustomVersion=${version}"
+  ];
+
+  nativeBuildInputs = [ gnused installShellFiles ];
+
+  modBuildPhase = ''
+    for module in ${builtins.toString (attrsToModules externalPlugins)}; do
+      sed -i "/standard/a _ \"$module\"" ./cmd/caddy/main.go
+    done
+    for plugin in ${builtins.toString (attrsToSources externalPlugins)}; do
+      go get $plugin
+    done
+
+    go generate
+    go mod vendor
   '';
 
-  buildPhase = let
+  modInstallPhase = ''
-    pluginArgs = lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins;
+    mv -t vendor go.mod go.sum
-  in ''
+    cp -r --reflink=auto vendor "$out"
-    runHook preBuild
-    ${xcaddy}/bin/xcaddy build latest ${pluginArgs}
-    runHook postBuild
   '';
 
+  preBuild = ''
+    chmod -R u+w vendor
+    [ -f vendor/go.mod ] && mv -t . vendor/go.{mod,sum}
+    go generate
 
-  installPhase = ''
+    for module in ${builtins.toString (attrsToModules externalPlugins)}; do
-    runHook preInstall
+      sed -i "/standard/a _ \"$module\"" ./cmd/caddy/main.go
-    mkdir -p $out/bin
+    done
-    mv caddy $out/bin
-    runHook postInstall
   '';
+
+  postInstall = ''
+    install -Dm644 ${dist}/init/caddy.service ${dist}/init/caddy-api.service -t $out/lib/systemd/system
+
+    substituteInPlace $out/lib/systemd/system/caddy.service --replace "/usr/bin/caddy" "$out/bin/caddy"
+    substituteInPlace $out/lib/systemd/system/caddy-api.service --replace "/usr/bin/caddy" "$out/bin/caddy"
+
+    $out/bin/caddy manpage --directory manpages
+    installManPage manpages/*
+
+    installShellCompletion --cmd caddy \
+      --bash <($out/bin/caddy completion bash) \
+      --fish <($out/bin/caddy completion fish) \
+      --zsh <($out/bin/caddy completion zsh)
+  '';
+
+  passthru.tests = {
+    inherit (nixosTests) caddy;
+    version = testers.testVersion {
+      command = "${caddy}/bin/caddy version";
+      package = caddy;
+    };
+  };
+
+  meta = with lib; {
+    homepage = "https://caddyserver.com";
+    description = "Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS";
+    license = licenses.asl20;
+    mainProgram = "caddy";
+    maintainers = with maintainers; [ Br1ght0ne emilylange techknowlogick ];
+  };
 }