Software with DSL config files normally has a way to validate the config file before service is restarted. I'd like to assert that generated config file passes that test before systemd service is restarted.
For example, for nginx one can do nginx -t -c default.confg and non-zero exit code should stop nixos-rebuild script with an error.
nginx -t -c default.confg
PS: if such convention already exists, I'm happy to document it somewhere (wiki?)
Oh, this is IMO a really good idea. I don't know about any placed used, but that's not a useful information, as I know very little about NixOS expressions.
i think you could do this in similar way that modules/services/networking/ircd-hybrid/default.nix is done. since there it creates derivation and you could run configtest in one of test phases
We actually had something like that in the Upstart era. See e.g. https://github.com/NixOS/nixos/blob/ce3941d6e6d7c5f4f683d3ef25070cd1c803a79b/modules/services/web-servers/apache-httpd/default.nix (look for "buildHook"). The idea was that building the httpd job fails if the configuration file is not syntactically correct. (Well, that was the theory. It didn't actually work because "httpd -t" is impure.)
There is no way to create user/group before the build check? Nginx seems to do the same:
nginx: [emerg] getpwnam("www-data2") failed in /etc/nginx/nginx.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed
Can't the needed files be built in a separate derivation? Then it could be given as another input.
Yes, that was an example of building a NixOS service by a derivation... so you want this and additionally a test phase that checks the config.
Moreover, I just speculated that if you're missing some other stuff (like /etc/passwd), IMHO it could be separated into another derivation and used as and additional input... but I would rather avoid this if possible.
OK, I'll play around and post here the results.