Fixes and housekeeping for the varnish module

nixos/modules/services/web-servers/varnish/default.nix

@@ -5,65 +5,80 @@
   ...
 }:
 
-with lib;
-
 let
   cfg = config.services.varnish;
 
+  # Varnish has very strong opinions and very complicated code around handling
+  # the stateDir. After a lot of back and forth, we decided that we a)
+  # do not want a configurable option here, as most of the handling depends
+  # on the version and the compile time options. Putting everything into
+  # /var/run (RAM backed) is absolutely recommended by Varnish anyways.
+  # We do need to pay attention to the version-dependend variations, though!
+  stateDir =
+    if
+      (lib.versionOlder cfg.package.version "7")
+    # Remove after Varnish 6.0 is gone. In 6.0 varnishadm always appends the
+    # hostname (by default) and can't be nudged to not use any name. This has
+    # long changed by 7.5 and can be used without the host name.
+    then
+      "/var/run/varnish/${config.networking.hostName}"
+    # Newer varnish uses this:
+    else
+      "/var/run/varnishd";
+
   commandLine =
     "-f ${pkgs.writeText "default.vcl" cfg.config}"
     +
-      optionalString (cfg.extraModules != [ ])
+      lib.optionalString (cfg.extraModules != [ ])
         " -p vmod_path='${
-           makeSearchPathOutput "lib" "lib/varnish/vmods" ([ cfg.package ] ++ cfg.extraModules)
+           lib.makeSearchPathOutput "lib" "lib/varnish/vmods" ([ cfg.package ] ++ cfg.extraModules)
          }' -r vmod_path";
 in
 {
+  imports = [
+    (lib.mkRemovedOptionModule [
+      "services"
+      "varnish"
+      "stateDir"
+    ] "The `stateDir` option never was functional or useful. varnish uses compile-time settings.")
+  ];
+
   options = {
     services.varnish = {
-      enable = mkEnableOption "Varnish Server";
+      enable = lib.mkEnableOption "Varnish Server";
 
-      enableConfigCheck = mkEnableOption "checking the config during build time" // {
+      enableConfigCheck = lib.mkEnableOption "checking the config during build time" // {
         default = true;
       };
 
-      package = mkPackageOption pkgs "varnish" { };
+      package = lib.mkPackageOption pkgs "varnish" { };
 
-      http_address = mkOption {
-        type = types.str;
+      http_address = lib.mkOption {
+        type = lib.types.str;
         default = "*:6081";
         description = ''
           HTTP listen address and port.
         '';
       };
 
-      config = mkOption {
-        type = types.lines;
+      config = lib.mkOption {
+        type = lib.types.lines;
         description = ''
           Verbatim default.vcl configuration.
         '';
       };
 
-      stateDir = mkOption {
-        type = types.path;
-        default = "/run/varnish/${config.networking.hostName}";
-        defaultText = literalExpression ''"/run/varnish/''${config.networking.hostName}"'';
-        description = ''
-          Directory holding all state for Varnish to run. Note that this should be a tmpfs in order to avoid performance issues and crashes.
-        '';
-      };
-
-      extraModules = mkOption {
-        type = types.listOf types.package;
+      extraModules = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
         default = [ ];
-        example = literalExpression "[ pkgs.varnishPackages.geoip ]";
+        example = lib.literalExpression "[ pkgs.varnishPackages.geoip ]";
         description = ''
           Varnish modules (except 'std').
         '';
       };
 
-      extraCommandLine = mkOption {
-        type = types.str;
+      extraCommandLine = lib.mkOption {
+        type = lib.types.str;
         default = "";
         example = "-s malloc,256M";
         description = ''
@@ -74,30 +89,20 @@ in
 
   };
 
-  config = mkIf cfg.enable {
-
+  config = lib.mkIf cfg.enable {
     systemd.services.varnish = {
       description = "Varnish";
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
-      preStart = mkIf (!(lib.hasPrefix "/run/" cfg.stateDir)) ''
-        mkdir -p ${cfg.stateDir}
-        chown -R varnish:varnish ${cfg.stateDir}
-      '';
-      postStop = mkIf (!(lib.hasPrefix "/run/" cfg.stateDir)) ''
-        rm -rf ${cfg.stateDir}
-      '';
       serviceConfig = {
         Type = "simple";
         PermissionsStartOnly = true;
-        ExecStart = "${cfg.package}/sbin/varnishd -a ${cfg.http_address} -n ${cfg.stateDir} -F ${cfg.extraCommandLine} ${commandLine}";
+        ExecStart = "${cfg.package}/sbin/varnishd -a ${cfg.http_address} -n ${stateDir} -F ${cfg.extraCommandLine} ${commandLine}";
         Restart = "always";
         RestartSec = "5s";
         User = "varnish";
         Group = "varnish";
-        RuntimeDirectory = mkIf (lib.hasPrefix "/run/" cfg.stateDir) (
-          lib.removePrefix "/run/" cfg.stateDir
-        );
+        RuntimeDirectory = lib.removePrefix "/var/run/" stateDir;
         AmbientCapabilities = "cap_net_bind_service";
         NoNewPrivileges = true;
         LimitNOFILE = 131072;
@@ -107,7 +112,7 @@ in
     environment.systemPackages = [ cfg.package ];
 
     # check .vcl syntax at compile time (e.g. before nixops deployment)
-    system.checks = mkIf cfg.enableConfigCheck [
+    system.checks = lib.mkIf cfg.enableConfigCheck [
       (pkgs.runCommand "check-varnish-syntax" { } ''
         ${cfg.package}/bin/varnishd -C ${commandLine} 2> $out || (cat $out; exit 1)
       '')

nixos/tests/all-tests.nix

@@ -1139,6 +1139,7 @@ in {
   v2ray = handleTest ./v2ray.nix {};
   varnish60 = handleTest ./varnish.nix { package = pkgs.varnish60; };
   varnish75 = handleTest ./varnish.nix { package = pkgs.varnish75; };
+  varnish76 = handleTest ./varnish.nix { package = pkgs.varnish76; };
   vault = handleTest ./vault.nix {};
   vault-agent = handleTest ./vault-agent.nix {};
   vault-dev = handleTest ./vault-dev.nix {};

nixos/tests/varnish.nix

@@ -56,8 +56,12 @@ import ./make-test-python.nix (
 
       client.wait_until_succeeds("curl -f http://varnish/nix-cache-info");
 
-      client.wait_until_succeeds("nix-store -r ${testPath}");
-      client.succeed("${testPath}/bin/hello");
+      client.wait_until_succeeds("nix-store -r ${testPath}")
+      client.succeed("${testPath}/bin/hello")
+
+      output = varnish.succeed("varnishadm status")
+      print(output)
+      assert "Child in state running" in output, "Unexpected varnishadm response"
     '';
   }
 )

pkgs/servers/varnish/default.nix

@@ -54,7 +54,7 @@ let
         ++ lib.optional stdenv.hostPlatform.isDarwin libunwind
         ++ lib.optional stdenv.hostPlatform.isLinux jemalloc;
 
-      buildFlags = [ "localstatedir=/var/spool" ];
+      buildFlags = [ "localstatedir=/var/run" ];
 
       postPatch = ''
         substituteInPlace bin/varnishtest/vtc_main.c --replace /bin/rm "${coreutils}/bin/rm"
@@ -83,7 +83,7 @@ let
         description = "Web application accelerator also known as a caching HTTP reverse proxy";
         homepage = "https://www.varnish-cache.org";
         license = licenses.bsd2;
-        maintainers = [ ];
+        maintainers = lib.teams.flyingcircus.members;
         platforms = platforms.unix;
       };
     };
@@ -99,4 +99,9 @@ in
     version = "7.5.0";
     hash = "sha256-/KYbmDE54arGHEVG0SoaOrmAfbsdgxRXHjFIyT/3K10=";
   };
+  # EOL 2025-09-15
+  varnish76 = common {
+    version = "7.6.1";
+    hash = "sha256-Wpu1oUn/J4Z7VKZs4W0qS5Pt/6VHPLh8nHH3aZz4Rbo=";
+  };
 }

pkgs/servers/varnish/modules.nix

@@ -59,4 +59,8 @@ in
     version = "0.24.0";
     hash = "sha256-2MfcrhhkBz9GyQxEWzjipdn1CBEqnCvC3t1G2YSauak=";
   };
+  modules25 = common {
+    version = "0.25.0";
+    hash = "sha256-m/7moizVyvoP8xnpircAFVUqCmCfTGkgVyRc6zkdVsk=";
+  };
 }

pkgs/servers/varnish/packages.nix

@@ -3,6 +3,7 @@
   callPackage,
   varnish60,
   varnish75,
+  varnish76,
 }:
 {
   varnish60Packages = rec {
@@ -23,4 +24,8 @@
     varnish = varnish75;
     modules = (callPackages ./modules.nix { inherit varnish; }).modules24;
   };
+  varnish76Packages = rec {
+    varnish = varnish76;
+    modules = (callPackages ./modules.nix { inherit varnish; }).modules25;
+  };
 }

pkgs/top-level/all-packages.nix

@@ -5493,9 +5493,9 @@ with pkgs;
   unzipNLS = lowPrio (unzip.override { enableNLS = true; });
 
   inherit (callPackages ../servers/varnish { })
-    varnish60 varnish75;
+    varnish60 varnish75 varnish76;
   inherit (callPackages ../servers/varnish/packages.nix { })
-    varnish60Packages varnish75Packages;
+    varnish60Packages varnish75Packages varnish76Packages;
 
   varnishPackages = varnish75Packages;
   varnish = varnishPackages.varnish;