1 files changed, 35 insertions, 16 deletions

diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix
index 60260512bc2f..362f8ee90524 100644
--- a/nixos/modules/services/web-servers/nginx/vhost-options.nix
+++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix
@@ -27,25 +27,21 @@ with lib;
     };
 
     listen = mkOption {
-      type = with types; listOf (submodule {
-        options = {
-          addr = mkOption { type = str; description = "IP address."; };
-          port = mkOption { type = nullOr int; description = "Port number."; };
-        };
-      });
-      default =
-        [ { addr = "0.0.0.0"; port = null; } ]
-        ++ optional config.networking.enableIPv6
-          { addr = "[::]"; port = null; };
+      type = with types; listOf (submodule { options = {
+        addr = mkOption { type = str;  description = "IP address.";  };
+        port = mkOption { type = int;  description = "Port number."; default = 80; };
+        ssl  = mkOption { type = bool; description = "Enable SSL.";  default = false; };
+      }; });
+      default = [];
       example = [
-        { addr = "195.154.1.1"; port = 443; }
-        { addr = "192.168.1.2"; port = 443; }
+        { addr = "195.154.1.1"; port = 443; ssl = true;}
+        { addr = "192.154.1.1"; port = 80; }
       ];
       description = ''
         Listen addresses and ports for this virtual host.
         IPv6 addresses must be enclosed in square brackets.
-        Setting the port to <literal>null</literal> defaults
-        to 80 for http and 443 for https (i.e. when enableSSL is set).
+        Note: this option overrides <literal>addSSL</literal>
+        and <literal>onlySSL</literal>.
       '';
     };
 
@@ -70,16 +66,39 @@ with lib;
       '';
     };
 
+    addSSL = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to enable HTTPS in addition to plain HTTP. This will set defaults for
+        <literal>listen</literal> to listen on all interfaces on the respective default
+        ports (80, 443).
+      '';
+    };
+
+    onlySSL = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to enable HTTPS and reject plain HTTP connections. This will set
+        defaults for <literal>listen</literal> to listen on all interfaces on port 443.
+      '';
+    };
+
     enableSSL = mkOption {
       type = types.bool;
+      visible = false;
       default = false;
-      description = "Whether to enable SSL (https) support.";
     };
 
     forceSSL = mkOption {
       type = types.bool;
       default = false;
-      description = "Whether to always redirect to https.";
+      description = ''
+        Whether to add a separate nginx server block that permanently redirects (301)
+        all plain HTTP traffic to HTTPS. This option needs <literal>addSSL</literal>
+        to be set to true.
+      '';
     };
 
     sslCertificate = mkOption {