···
vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost:
133
-
ssl = with vhost; addSSL || onlySSL || enableSSL;
133
+
onlySSL = vhost.onlySSL || vhost.enableSSL;
134
+
hasSSL = onlySSL || vhost.addSSL || vhost.forceSSL;
135
-
defaultListen = with vhost;
136
-
if listen != [] then listen
137
-
else if onlySSL || enableSSL then
138
-
singleton { addr = "0.0.0.0"; port = 443; ssl = true; }
139
-
++ optional enableIPv6 { addr = "[::]"; port = 443; ssl = true; }
140
-
else singleton { addr = "0.0.0.0"; port = 80; ssl = false; }
141
-
++ optional enableIPv6 { addr = "[::]"; port = 80; ssl = false; }
142
-
++ optional addSSL { addr = "0.0.0.0"; port = 443; ssl = true; }
143
-
++ optional (enableIPv6 && addSSL) { addr = "[::]"; port = 443; ssl = true; };
137
+
if vhost.listen != [] then vhost.listen
138
+
else ((optionals hasSSL (
139
+
singleton { addr = "0.0.0.0"; port = 443; ssl = true; }
140
+
++ optional enableIPv6 { addr = "[::]"; port = 443; ssl = true; }
141
+
)) ++ optionals (!onlySSL) (
142
+
singleton { addr = "0.0.0.0"; port = 80; ssl = false; }
143
+
++ optional enableIPv6 { addr = "[::]"; port = 80; ssl = false; }
148
-
else filter (x: x.ssl) defaultListen;
148
+
then filter (x: x.ssl) defaultListen
149
+
else defaultListen;
listenString = { addr, port, ssl, ... }:
"listen ${addr}:${toString port} "
···
redirectListen = filter (x: !x.ssl) defaultListen;
158
-
redirectListenString = { addr, ... }:
159
-
"listen ${addr}:80 ${optionalString vhost.default "default_server"};";
location /.well-known/acme-challenge {
${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}
···
${optionalString vhost.forceSSL ''
178
-
${concatMapStringsSep "\n" redirectListenString redirectListen}
176
+
${concatMapStringsSep "\n" listenString redirectListen}
server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases};
${optionalString vhost.enableACME acmeLocation}
···
${optionalString vhost.enableACME acmeLocation}
${optionalString (vhost.root != null) "root ${vhost.root};"}
${optionalString (vhost.globalRedirect != null) ''
194
-
return 301 http${optionalString ssl "s"}://${vhost.globalRedirect}$request_uri;
192
+
return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;
196
-
${optionalString ssl ''
194
+
${optionalString hasSSL ''
ssl_certificate ${vhost.sslCertificate};
ssl_certificate_key ${vhost.sslCertificateKey};
···
481
-
assertion = all (conf: with conf; !(addSSL && (onlySSL || enableSSL))) (attrValues virtualHosts);
479
+
assertion = all (conf: with conf;
480
+
!(addSSL && (onlySSL || enableSSL)) &&
481
+
!(forceSSL && (onlySSL || enableSSL)) &&
482
+
!(addSSL && forceSSL)
483
+
) (attrValues virtualHosts);
483
-
Options services.nginx.service.virtualHosts.<name>.addSSL and
484
-
services.nginx.virtualHosts.<name>.onlySSL are mutually esclusive
489
-
assertion = all (conf: with conf; forceSSL -> addSSL) (attrValues virtualHosts);
491
-
Option services.nginx.virtualHosts.<name>.forceSSL requires
492
-
services.nginx.virtualHosts.<name>.addSSL set to true.
485
+
Options services.nginx.service.virtualHosts.<name>.addSSL,
486
+
services.nginx.virtualHosts.<name>.onlySSL and services.nginx.virtualHosts.<name>.forceSSL
487
+
are mutually exclusive.
pyrox.dev