diff options
| author | Florian Jacob <projects+git@florianjacob.de> | 2017-08-31 16:47:54 +0200 |
|---|---|---|
| committer | Robin Gloster <mail@glob.in> | 2017-09-01 08:13:34 +0200 |
| commit | 786e9711f5b3a9c27840c260354f0ea774d5f826 (patch) | |
| tree | fdc9f05a3ad2f530efae22fa0f5d18f5f2358e23 /nixos/modules/services/web-apps/piwik.nix | |
| parent | 3b9f0c6a469a574c1c030e4c23f6c766819cbd2d (diff) | |
| download | nixpkgs-786e9711f5b3a9c27840c260354f0ea774d5f826.tar nixpkgs-786e9711f5b3a9c27840c260354f0ea774d5f826.tar.gz nixpkgs-786e9711f5b3a9c27840c260354f0ea774d5f826.tar.bz2 nixpkgs-786e9711f5b3a9c27840c260354f0ea774d5f826.tar.lz nixpkgs-786e9711f5b3a9c27840c260354f0ea774d5f826.tar.xz nixpkgs-786e9711f5b3a9c27840c260354f0ea774d5f826.tar.zst nixpkgs-786e9711f5b3a9c27840c260354f0ea774d5f826.zip | |
nixos/piwik: fix nginx submodule's ssl defaults
previous mkDefault did not work as expected, as it did not overwrite the original submodule's defaults when the user did not specify any custom options at all.
Diffstat (limited to 'nixos/modules/services/web-apps/piwik.nix')
| -rw-r--r-- | nixos/modules/services/web-apps/piwik.nix | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/nixos/modules/services/web-apps/piwik.nix b/nixos/modules/services/web-apps/piwik.nix index d59f800cf36..ce86c6873dd 100644 --- a/nixos/modules/services/web-apps/piwik.nix +++ b/nixos/modules/services/web-apps/piwik.nix @@ -60,9 +60,17 @@ in { }; nginx = mkOption { - type = types.nullOr (types.submodule (import ../web-servers/nginx/vhost-options.nix { - inherit config lib; - })); + type = types.nullOr (types.submodule ( + recursiveUpdate + (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) + { + # enable encryption by default, + # as sensitive login and piwik data should not be transmitted in clear text. + options.forceSSL.default = true; + options.enableACME.default = true; + } + ) + ); default = null; example = { serverName = "stats.$\{config.networking.hostName\}"; @@ -168,14 +176,14 @@ in { # https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html # https://github.com/perusio/piwik-nginx "${user}.${config.networking.hostName}" = mkMerge [ cfg.nginx { - # don't allow to override root, as it will almost certainly break piwik + # don't allow to override the root easily, as it will almost certainly break piwik. + # disadvantage: not shown as default in docs. root = mkForce "${pkgs.piwik}/share"; - # allow to override SSL settings if necessary, i.e. when using another method than ACME - # but enable them by default, as sensitive login and piwik data should not be transmitted in clear text. - forceSSL = mkDefault true; - enableACME = mkDefault true; - + # define locations here instead of as the submodule option's default + # so that they can easily be extended with additional locations if required + # without needing to redefine the piwik ones. + # disadvantage: not shown as default in docs. locations."/" = { index = "index.php"; }; |