@edanaher, thanks for your PR! By analyzing the history of the files in this pull request, we identified @globin, @fadenb and @fpletz to be potential reviewers.

Incidentally, it would also be nice to document this for the other web servers (apache, lightd, etc.), but I haven't used them in years and haven't looked at the Nix configs for them. If there's interest but nobody wants to add it, I could spend a bit of time seeing how they work.

It also seems that if you enableSSL, you can't create a second one for port 80. does that seem to be true for you?

@grahamc - What do you mean by "create a second one for port 80"? Do you mean creating a separate virtualHost with the same serverName? I haven't tried it, but I don't know of any reason it wouldn't work. (You'd have to give it a different name in the virtualHosts set (e.g., "www.example.com-HTTP") and then set the hostname explicitly with the serverName option, but I'd expect that to Just Work.)

to complicate this a bit, documentation already talks about this

https://github.com/edanaher/nixpkgs/blob/9a9222cbf91f016d2ad2a7df6ab8dc022ceb4914/nixos/modules/services/web-servers/nginx/vhost-options.nix#L29

Also, we shouldn't ask users to break abstraction (the extraConfig). The better solution is to adopt multiple ports option, just like apache-httpd did. Something like

ports = mkOption {
   type = with types; listOf (either int (submodule ...));
   default = [];
 };
 enableHTTP = mkOption {
   type = types.bool;
   default = true;
   description = ''Whether to listen on 80 port. This is always false if forceSSL specified.'';
 };
 enableHTTPS = mkOption {
   type = types.bool;
   default = false;
   description = ''Whether to listen on 443 port and enable TLS/SSL support for this virtual host.'';
 };

Here we show that nginx can listen on multiple ports and allow user to control 80 port (which is listened by default). As for me, it is strange to have configuration enableHTTPS = true; enableHTTP = false; forceSSL = false;, but this is exactly what current nginx module allows.

@fpletz, @fadenb and me have talked about this already. We are leaning towards deprecating enableSSL and having three instead of the two existing options (including forceSSL)

The options would be:

• addSSL: new value adding a second identical vhost with SSL enabled
• onlySSL: current enableSSL
• forceSSL: as defined currently

We haven't had the time to implement this, so if someone beats us to it feel free to go ahead :)

Thanks @globin for mentioning that! I like that solution, and if it's already agreed upon, I'm willing to spend some time (hopefully this week) to implement it. And that certainly makes this change unnecessary, so I'll go ahead and close it.