fix: properly escape Nix strings everywhere

compose.go

@@ -576,16 +576,6 @@ func (g *Generator) buildNixContainer(service types.ServiceConfig, networkMap ma
 				if err != nil {
 					return nil, fmt.Errorf("failed to convert healthcheck command: %w", err)
 				}
-
-				// We need to escape double-quotes for Nix.
-				//
-				// We also need to escape the special "${" sequence as it is possible that this is
-				// passed in to evaluate a Bash env variable as part of the command.
-				//
-				// See: https://nixos.org/manual/nix/stable/language/values
-				cmd = strings.ReplaceAll(cmd, `"`, `\"`)
-				cmd = strings.ReplaceAll(cmd, "${", `\${`)
-
 				c.ExtraOptions = append(c.ExtraOptions, fmt.Sprintf("--health-cmd=%s", cmd))
 			}
 			if timeout := healthCheck.Timeout; timeout != nil {

nix_test.go

@@ -319,6 +319,14 @@ func TestDeployDevices(t *testing.T) {
 	runSubtestsWithGenerator(t, g)
 }
 
+func TestEscapeChars(t *testing.T) {
+	composePath, _ := getPaths(t, false)
+	g := &Generator{
+		Inputs: []string{composePath},
+	}
+	runSubtestsWithGenerator(t, g)
+}
+
 func TestNoCreateRootTarget(t *testing.T) {
 	composePath, _ := getPaths(t, false)
 	g := &Generator{

nixos-test/docker-compose.nix

@@ -52,6 +52,7 @@
       "compose2nix.systemd.service.Restart" = "no";
       "compose2nix.systemd.service.RuntimeMaxSec" = "360";
       "compose2nix.systemd.unit.Description" = "This is the service-a container!";
+      "escape-me" = "\"hello\"";
     };
     log-driver = "journald";
     extraOptions = [
@@ -170,7 +171,7 @@
       ExecStop = "docker network rm -f myproject_something";
     };
     script = ''
-      docker network inspect myproject_something || docker network create myproject_something --subnet=192.168.8.0/24 --gateway=192.168.8.1 --label=test-label=okay
+      docker network inspect myproject_something || docker network create myproject_something --subnet=192.168.8.0/24 --gateway=192.168.8.1 --label=escape-me='''hello''' --label=test-label=okay
     '';
     partOf = [ "docker-compose-myproject-root.target" ];
     wantedBy = [ "docker-compose-myproject-root.target" ];
@@ -202,7 +203,7 @@
       "/mnt/media"
     ];
     script = ''
-      docker volume inspect storage || docker volume create storage --opt=device=/mnt/media --opt=o=bind --opt=type=none
+      docker volume inspect storage || docker volume create storage --opt=device=/mnt/media --opt=o=bind --opt=type=none --label=escape-me='''hello'''
     '';
     partOf = [ "docker-compose-myproject-root.target" ];
     wantedBy = [ "docker-compose-myproject-root.target" ];

nixos-test/docker-compose.yml

@@ -19,6 +19,7 @@ services:
       - 'compose2nix.systemd.service.Restart=no'
       - "compose2nix.systemd.service.RuntimeMaxSec=360"
       - "compose2nix.systemd.unit.Description=This is the service-a container!"
+      - "escape-me=\"hello\""
     restart: unless-stopped
   service-b:
     image: docker.io/library/nginx:stable-alpine-slim
@@ -51,6 +52,7 @@ networks:
           gateway: 192.168.8.1
     labels:
       - "test-label=okay"
+      - "escape-me=''hello''"
 
 volumes:
   storage:
@@ -59,6 +61,8 @@ volumes:
       type: none
       device: /mnt/media
       o: bind
+    labels:
+      - "escape-me=''hello''"
   books:
     driver_opts:
       type: none

nixos-test/podman-compose.nix

@@ -57,6 +57,7 @@
       "compose2nix.systemd.service.Restart" = "no";
       "compose2nix.systemd.service.RuntimeMaxSec" = "360";
       "compose2nix.systemd.unit.Description" = "This is the service-a container!";
+      "escape-me" = "\"hello\"";
     };
     log-driver = "journald";
     extraOptions = [
@@ -172,7 +173,7 @@
       ExecStop = "podman network rm -f myproject_something";
     };
     script = ''
-      podman network inspect myproject_something || podman network create myproject_something --subnet=192.168.8.0/24 --gateway=192.168.8.1 --label=test-label=okay
+      podman network inspect myproject_something || podman network create myproject_something --subnet=192.168.8.0/24 --gateway=192.168.8.1 --label=escape-me='''hello''' --label=test-label=okay
     '';
     partOf = [ "podman-compose-myproject-root.target" ];
     wantedBy = [ "podman-compose-myproject-root.target" ];
@@ -204,7 +205,7 @@
       "/mnt/media"
     ];
     script = ''
-      podman volume inspect storage || podman volume create storage --opt=device=/mnt/media --opt=o=bind --opt=type=none
+      podman volume inspect storage || podman volume create storage --opt=device=/mnt/media --opt=o=bind --opt=type=none --label=escape-me='''hello'''
     '';
     partOf = [ "podman-compose-myproject-root.target" ];
     wantedBy = [ "podman-compose-myproject-root.target" ];

template.go

@@ -28,7 +28,7 @@ func derefInt(v *int) int {
 func toNixValue(v any) any {
 	switch v := v.(type) {
 	case string:
-		return fmt.Sprintf("%q", v)
+		return fmt.Sprintf("%q", escapeNixString(v))
 	default:
 		return v
 	}
@@ -37,16 +37,33 @@ func toNixValue(v any) any {
 func toNixList(s []string) string {
 	b := strings.Builder{}
 	for i, e := range s {
-		b.WriteString(fmt.Sprintf("%q", e))
+		b.WriteString(fmt.Sprintf("%q", escapeNixString(e)))
 		if i < len(s)-1 {
 			b.WriteString(" ")
 		}
 	}
 	return fmt.Sprintf("[ %s ]", b.String())
 }
 
+func escapeNixString(s string) string {
+	// https://nix.dev/manual/nix/latest/language/syntax#string-literal
+	s = strings.ReplaceAll(s, `\`, `\\`)
+	s = strings.ReplaceAll(s, `"`, `\"`)
+	s = strings.ReplaceAll(s, `${`, `\${`)
+	return s
+}
+
+func escapeIndentedNixString(s string) string {
+	// https://nix.dev/manual/nix/latest/language/syntax#string-literal
+	s = strings.ReplaceAll(s, `''`, `'''`)
+	s = strings.ReplaceAll(s, `$`, `''$`)
+	return s
+}
+
 var funcMap template.FuncMap = template.FuncMap{
-	"derefInt":   derefInt,
-	"toNixValue": toNixValue,
-	"toNixList":  toNixList,
+	"derefInt":                derefInt,
+	"toNixValue":              toNixValue,
+	"toNixList":               toNixList,
+	"escapeNixString":         escapeNixString,
+	"escapeIndentedNixString": escapeIndentedNixString,
 }

templates/container.nix.tmpl

@@ -4,7 +4,7 @@ virtualisation.oci-containers.containers."{{.Name}}" = {
   {{- if .Environment}}
   environment = {
     {{- range $k, $v := .Environment}}
-    "{{$k}}" = "{{$v}}";
+    "{{$k}}" = "{{escapeNixString $v}}";
     {{- end}}
   };
   {{- end}}
@@ -40,7 +40,7 @@ virtualisation.oci-containers.containers."{{.Name}}" = {
   {{- if .Labels}}
   labels = {
     {{- range $k, $v := .Labels}}
-    "{{$k}}" = "{{$v}}";
+    "{{$k}}" = "{{escapeNixString $v}}";
     {{- end}}
   };
   {{- end}}
@@ -68,7 +68,7 @@ virtualisation.oci-containers.containers."{{.Name}}" = {
   {{- if .ExtraOptions}}
   extraOptions = [
     {{- range .ExtraOptions}}
-    "{{.}}"
+    "{{escapeNixString .}}"
     {{- end}}
   ];
   {{- end}}

templates/network.nix.tmpl

@@ -6,7 +6,7 @@ systemd.services."{{.Runtime}}-network-{{.Name}}" = {
     ExecStop = "{{.Runtime}} network rm -f {{.Name}}";
   };
   script = ''
-    {{ .Command }}
+    {{escapeIndentedNixString .Command }}
   '';
   {{- if rootTarget}}
   {{- /* PartOf for stop/restart of root, WantedBy for start of root. */}}

templates/volume.nix.tmpl

@@ -15,7 +15,7 @@ systemd.services."{{.Runtime}}-volume-{{.Name}}" = {
   ];
   {{- end}}
   script = ''
-    {{ .Command }}
+    {{escapeIndentedNixString .Command }}
   '';
   {{- if rootTarget}}
   {{- /* PartOf for stop/restart of root, WantedBy for start of root. */}}

testdata/TestBasic.docker.nix

@@ -74,7 +74,7 @@
       "DOCKER_MODS" = "ghcr.io/gilbn/theme.park:sabnzbd";
       "PGID" = "1000";
       "PUID" = "1000";
-      "TP_DOMAIN" = "hey.hello.us\/themepark";
+      "TP_DOMAIN" = "hey.hello.us\\/themepark";
       "TP_HOTIO" = "false";
       "TP_THEME" = "potato";
       "TZ" = "America/New_York";

testdata/TestBasic.podman.nix

@@ -77,7 +77,7 @@
       "DOCKER_MODS" = "ghcr.io/gilbn/theme.park:sabnzbd";
       "PGID" = "1000";
       "PUID" = "1000";
-      "TP_DOMAIN" = "hey.hello.us\/themepark";
+      "TP_DOMAIN" = "hey.hello.us\\/themepark";
       "TP_HOTIO" = "false";
       "TP_THEME" = "potato";
       "TZ" = "America/New_York";

testdata/TestBasicAutoFormat.docker.nix

@@ -68,7 +68,7 @@
       "DOCKER_MODS" = "ghcr.io/gilbn/theme.park:sabnzbd";
       "PGID" = "1000";
       "PUID" = "1000";
-      "TP_DOMAIN" = "hey.hello.us\/themepark";
+      "TP_DOMAIN" = "hey.hello.us\\/themepark";
       "TP_HOTIO" = "false";
       "TP_THEME" = "potato";
       "TZ" = "America/New_York";

testdata/TestBasicAutoFormat.podman.nix

@@ -71,7 +71,7 @@
       "DOCKER_MODS" = "ghcr.io/gilbn/theme.park:sabnzbd";
       "PGID" = "1000";
       "PUID" = "1000";
-      "TP_DOMAIN" = "hey.hello.us\/themepark";
+      "TP_DOMAIN" = "hey.hello.us\\/themepark";
       "TP_HOTIO" = "false";
       "TP_THEME" = "potato";
       "TZ" = "America/New_York";

testdata/TestEscapeChars.compose.yml

@@ -0,0 +1,26 @@
+name: "dovecot"
+services:
+  dovecot:
+    container_name: dovecot
+    image: dovecot
+    labels:
+      ofelia.enabled: "true"
+      ofelia.job-exec.dovecot_imapsync_runner.schedule: "@every 1m"
+      ofelia.job-exec.dovecot_imapsync_runner.no-overlap: "true"
+      ofelia.job-exec.dovecot_imapsync_runner.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu nobody /usr/local/bin/imapsync_runner.pl || exit 0\""
+      ofelia.job-exec.dovecot_trim_logs.schedule: "@every 1m"
+      ofelia.job-exec.dovecot_trim_logs.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu vmail /usr/local/bin/trim_logs.sh || exit 0\""
+    networks:
+      - abc
+    volumes:
+      - def:/path/to/path
+
+networks:
+  abc:
+    labels:
+      my-label: "\"some quoted string\""
+
+volumes:
+  def:
+    labels:
+      other-label: "\"another quota string\""

testdata/TestEscapeChars.docker.nix

@@ -0,0 +1,83 @@
+{ pkgs, lib, ... }:
+
+{
+  # Runtime
+  virtualisation.docker = {
+    enable = true;
+    autoPrune.enable = true;
+  };
+  virtualisation.oci-containers.backend = "docker";
+
+  # Containers
+  virtualisation.oci-containers.containers."dovecot" = {
+    image = "dovecot";
+    volumes = [
+      "dovecot_def:/path/to/path:rw"
+    ];
+    labels = {
+      "ofelia.enabled" = "true";
+      "ofelia.job-exec.dovecot_imapsync_runner.command" = "/bin/bash -c \"[[ \${MASTER} == y ]] && /usr/local/bin/gosu nobody /usr/local/bin/imapsync_runner.pl || exit 0\"";
+      "ofelia.job-exec.dovecot_imapsync_runner.no-overlap" = "true";
+      "ofelia.job-exec.dovecot_imapsync_runner.schedule" = "@every 1m";
+      "ofelia.job-exec.dovecot_trim_logs.command" = "/bin/bash -c \"[[ \${MASTER} == y ]] && /usr/local/bin/gosu vmail /usr/local/bin/trim_logs.sh || exit 0\"";
+      "ofelia.job-exec.dovecot_trim_logs.schedule" = "@every 1m";
+    };
+    log-driver = "journald";
+    autoStart = false;
+    extraOptions = [
+      "--network-alias=dovecot"
+      "--network=dovecot_abc"
+    ];
+  };
+  systemd.services."docker-dovecot" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "no";
+    };
+    after = [
+      "docker-network-dovecot_abc.service"
+      "docker-volume-dovecot_def.service"
+    ];
+    requires = [
+      "docker-network-dovecot_abc.service"
+      "docker-volume-dovecot_def.service"
+    ];
+  };
+
+  # Networks
+  systemd.services."docker-network-dovecot_abc" = {
+    path = [ pkgs.docker ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStop = "docker network rm -f dovecot_abc";
+    };
+    script = ''
+      docker network inspect dovecot_abc || docker network create dovecot_abc --label=my-label="some quoted string"
+    '';
+    partOf = [ "docker-compose-dovecot-root.target" ];
+    wantedBy = [ "docker-compose-dovecot-root.target" ];
+  };
+
+  # Volumes
+  systemd.services."docker-volume-dovecot_def" = {
+    path = [ pkgs.docker ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      docker volume inspect dovecot_def || docker volume create dovecot_def --label=other-label="another quota string"
+    '';
+    partOf = [ "docker-compose-dovecot-root.target" ];
+    wantedBy = [ "docker-compose-dovecot-root.target" ];
+  };
+
+  # Root service
+  # When started, this will automatically create all resources and start
+  # the containers. When stopped, this will teardown all resources.
+  systemd.targets."docker-compose-dovecot-root" = {
+    unitConfig = {
+      Description = "Root target generated by compose2nix.";
+    };
+  };
+}