diff options
Diffstat (limited to 'nixos/modules/services/web-servers/nginx/vhost-options.nix')
-rw-r--r-- | nixos/modules/services/web-servers/nginx/vhost-options.nix | 51 |
1 files changed, 35 insertions, 16 deletions
diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index 60260512bc2f..362f8ee90524 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -27,25 +27,21 @@ with lib; }; listen = mkOption { - type = with types; listOf (submodule { - options = { - addr = mkOption { type = str; description = "IP address."; }; - port = mkOption { type = nullOr int; description = "Port number."; }; - }; - }); - default = - [ { addr = "0.0.0.0"; port = null; } ] - ++ optional config.networking.enableIPv6 - { addr = "[::]"; port = null; }; + type = with types; listOf (submodule { options = { + addr = mkOption { type = str; description = "IP address."; }; + port = mkOption { type = int; description = "Port number."; default = 80; }; + ssl = mkOption { type = bool; description = "Enable SSL."; default = false; }; + }; }); + default = []; example = [ - { addr = "195.154.1.1"; port = 443; } - { addr = "192.168.1.2"; port = 443; } + { addr = "195.154.1.1"; port = 443; ssl = true;} + { addr = "192.154.1.1"; port = 80; } ]; description = '' Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. - Setting the port to <literal>null</literal> defaults - to 80 for http and 443 for https (i.e. when enableSSL is set). + Note: this option overrides <literal>addSSL</literal> + and <literal>onlySSL</literal>. ''; }; @@ -70,16 +66,39 @@ with lib; ''; }; + addSSL = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable HTTPS in addition to plain HTTP. This will set defaults for + <literal>listen</literal> to listen on all interfaces on the respective default + ports (80, 443). + ''; + }; + + onlySSL = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable HTTPS and reject plain HTTP connections. This will set + defaults for <literal>listen</literal> to listen on all interfaces on port 443. + ''; + }; + enableSSL = mkOption { type = types.bool; + visible = false; default = false; - description = "Whether to enable SSL (https) support."; }; forceSSL = mkOption { type = types.bool; default = false; - description = "Whether to always redirect to https."; + description = '' + Whether to add a separate nginx server block that permanently redirects (301) + all plain HTTP traffic to HTTPS. This option needs <literal>addSSL</literal> + to be set to true. + ''; }; sslCertificate = mkOption { |