nixos/piwik: use nginx' virtualHost submodule

instead of redeclaring part of the options. Backward-compatible change.
This gives the same flexibility to the user as nginx itself.
This also resolves the piwik module break from nginx' enableSSL introduction from #27426.
This commit is contained in:
Florian Jacob 2017-08-30 15:01:43 +02:00
parent ed6bd02a9d
commit 746cc06f13

View File

@ -57,41 +57,20 @@ in {
};
nginx = mkOption {
# TODO: for maximum flexibility, it would be nice to use nginx's vhost_options module
# but this only makes sense if we can somehow specify defaults suitable for piwik.
# But users can always copy the piwik nginx config to their configuration.nix and customize it.
type = types.nullOr (types.submodule {
options = {
virtualHost = mkOption {
type = types.str;
default = "piwik.${config.networking.hostName}";
example = "piwik.$\{config.networking.hostName\}";
description = ''
Name of the nginx virtualhost to use and set up.
'';
};
enableSSL = mkOption {
type = types.bool;
default = true;
description = "Whether to enable https.";
};
forceSSL = mkOption {
type = types.bool;
default = true;
description = "Whether to always redirect to https.";
};
enableACME = mkOption {
type = types.bool;
default = true;
description = "Whether to ask Let's Encrypt to sign a certificate for this vhost.";
};
};
});
type = types.nullOr (types.submodule (import ../web-servers/nginx/vhost-options.nix {
inherit config lib;
}));
default = null;
example = { virtualHost = "stats.$\{config.networking.hostName\}"; };
example = {
serverName = "stats.$\{config.networking.hostName\}";
enableACME = false;
};
description = ''
The options to use to configure an nginx virtualHost.
If null (the default), no nginx virtualHost will be configured.
With this option, you can customize an nginx virtualHost which already has sensible defaults for piwik.
Set this to {} to just enable the virtualHost if you don't need any customization.
If enabled, then by default, the serverName is piwik.$\{config.networking.hostName\}, SSL is active,
and certificates are acquired via ACME.
If this is set to null (the default), no nginx virtualHost will be configured.
'';
};
};
@ -170,11 +149,15 @@ in {
# References:
# https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html
# https://github.com/perusio/piwik-nginx
${cfg.nginx.virtualHost} = {
root = "${pkgs.piwik}/share";
enableSSL = cfg.nginx.enableSSL;
enableACME = cfg.nginx.enableACME;
forceSSL = cfg.nginx.forceSSL;
"${user}.${config.networking.hostName}" = mkMerge [ cfg.nginx {
# don't allow to override root, as it will almost certainly break piwik
root = mkForce "${pkgs.piwik}/share";
# allow to override SSL settings if necessary, i.e. when using another method than ACME
# but enable them by default, as sensitive login and piwik data should not be transmitted in clear text.
addSSL = mkDefault true;
forceSSL = mkDefault true;
enableACME = mkDefault true;
locations."/" = {
index = "index.php";
@ -208,7 +191,7 @@ in {
locations."= /piwik.js".extraConfig = ''
expires 1M;
'';
};
}];
};
};