From 746cc06f1365c2c2f704f78e0e53452a3aae2ff8 Mon Sep 17 00:00:00 2001
From: Florian Jacob <projects+git@florianjacob.de>
Date: Wed, 30 Aug 2017 15:01:43 +0200
Subject: [PATCH 1/4] nixos/piwik: use nginx' virtualHost submodule instead of
 redeclaring part of the options. Backward-compatible change. This gives the
 same flexibility to the user as nginx itself. This also resolves the piwik
 module break from nginx' enableSSL introduction from #27426.

---
 nixos/modules/services/web-apps/piwik.nix | 61 ++++++++---------------
 1 file changed, 22 insertions(+), 39 deletions(-)

diff --git a/nixos/modules/services/web-apps/piwik.nix b/nixos/modules/services/web-apps/piwik.nix
index 26342a9c5f0..11fa13d6d76 100644
--- a/nixos/modules/services/web-apps/piwik.nix
+++ b/nixos/modules/services/web-apps/piwik.nix
@@ -57,41 +57,20 @@ in {
       };
 
       nginx = mkOption {
-        # TODO: for maximum flexibility, it would be nice to use nginx's vhost_options module
-        #       but this only makes sense if we can somehow specify defaults suitable for piwik.
-        #       But users can always copy the piwik nginx config to their configuration.nix and customize it.
-        type = types.nullOr (types.submodule {
-          options = {
-            virtualHost = mkOption {
-              type = types.str;
-              default = "piwik.${config.networking.hostName}";
-              example = "piwik.$\{config.networking.hostName\}";
-              description = ''
-                  Name of the nginx virtualhost to use and set up.
-              '';
-            };
-            enableSSL = mkOption {
-              type = types.bool;
-              default = true;
-              description = "Whether to enable https.";
-            };
-            forceSSL = mkOption {
-              type = types.bool;
-              default = true;
-              description = "Whether to always redirect to https.";
-            };
-            enableACME = mkOption {
-              type = types.bool;
-              default = true;
-              description = "Whether to ask Let's Encrypt to sign a certificate for this vhost.";
-            };
-          };
-        });
+        type = types.nullOr (types.submodule (import ../web-servers/nginx/vhost-options.nix {
+          inherit config lib;
+        }));
         default = null;
-        example = { virtualHost = "stats.$\{config.networking.hostName\}"; };
+        example = {
+          serverName = "stats.$\{config.networking.hostName\}";
+          enableACME = false;
+        };
         description = ''
-            The options to use to configure an nginx virtualHost.
-            If null (the default), no nginx virtualHost will be configured.
+            With this option, you can customize an nginx virtualHost which already has sensible defaults for piwik.
+            Set this to {} to just enable the virtualHost if you don't need any customization.
+            If enabled, then by default, the serverName is piwik.$\{config.networking.hostName\}, SSL is active,
+            and certificates are acquired via ACME.
+            If this is set to null (the default), no nginx virtualHost will be configured.
         '';
       };
     };
@@ -170,11 +149,15 @@ in {
       # References:
       # https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html
       # https://github.com/perusio/piwik-nginx
-      ${cfg.nginx.virtualHost} = {
-        root = "${pkgs.piwik}/share";
-        enableSSL  = cfg.nginx.enableSSL;
-        enableACME = cfg.nginx.enableACME;
-        forceSSL   = cfg.nginx.forceSSL;
+      "${user}.${config.networking.hostName}" = mkMerge [ cfg.nginx {
+        # don't allow to override root, as it will almost certainly break piwik
+        root = mkForce "${pkgs.piwik}/share";
+
+        # allow to override SSL settings if necessary, i.e. when using another method than ACME
+        # but enable them by default, as sensitive login and piwik data should not be transmitted in clear text.
+        addSSL = mkDefault true;
+        forceSSL = mkDefault true;
+        enableACME = mkDefault true;
 
         locations."/" = {
           index = "index.php";
@@ -208,7 +191,7 @@ in {
         locations."= /piwik.js".extraConfig = ''
           expires 1M;
         '';
-      };
+      }];
     };
   };
 

From adb03f32a126a139e8c23dcd3ea8852ca6dd5d9d Mon Sep 17 00:00:00 2001
From: Florian Jacob <projects+git@florianjacob.de>
Date: Wed, 30 Aug 2017 15:09:05 +0200
Subject: [PATCH 2/4] nixos/piwik: Remove part about mail problems Sending mail
 works out of the box as of resolution of #26611.

---
 nixos/modules/services/web-apps/piwik-doc.xml | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/nixos/modules/services/web-apps/piwik-doc.xml b/nixos/modules/services/web-apps/piwik-doc.xml
index 21342d4454f..a393a182d36 100644
--- a/nixos/modules/services/web-apps/piwik-doc.xml
+++ b/nixos/modules/services/web-apps/piwik-doc.xml
@@ -79,16 +79,6 @@
           You can safely ignore this, unless you need a plugin that needs JavaScript tracker access.
         </para>
       </listitem>
-
-      <listitem>
-        <para>
-          Sending mail from piwik, e.g. for the password reset function, might not work out of the box:
-          There's a problem with using <command>sendmail</command> from <literal>php-fpm</literal> that is
-          being investigated at <link xlink:href="https://github.com/NixOS/nixpkgs/issues/26611" />.
-          If you have (or don't have) this problem as well, please report it. You can enable SMTP as method
-          to send mail in piwik's <quote>General Settings</quote> > <quote>Mail Server Settings</quote> instead.
-        </para>
-      </listitem>
     </itemizedlist>
   </section>
 

From 0544ac4a1b6ae7ed6f9d0e33307f618a405ce35b Mon Sep 17 00:00:00 2001
From: Florian Jacob <projects+git@florianjacob.de>
Date: Wed, 30 Aug 2017 15:14:52 +0200
Subject: [PATCH 3/4] nixos/piwik: Make webServerUser default to nginx if the
 nginx option is used. Noted that either webServerUser or nginx option is
 mandatory. Also introduce an assertion if both are not set, and a warning if
 both are set. Resolves #27704.

---
 nixos/modules/services/web-apps/piwik.nix | 28 +++++++++++++++++++----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/nixos/modules/services/web-apps/piwik.nix b/nixos/modules/services/web-apps/piwik.nix
index 11fa13d6d76..8d1b3fd00e2 100644
--- a/nixos/modules/services/web-apps/piwik.nix
+++ b/nixos/modules/services/web-apps/piwik.nix
@@ -24,14 +24,17 @@ in {
         default = false;
         description = ''
           Enable piwik web analytics with php-fpm backend.
+          Either the nginx option or the webServerUser option is mandatory.
         '';
       };
 
       webServerUser = mkOption {
-        type = types.str;
-        example = "nginx";
+        type = types.nullOr types.str;
+        default = null;
+        example = "lighttpd";
         description = ''
-          Name of the owner of the ${phpSocket} fastcgi socket for piwik.
+          Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for piwik if the nginx
+          option is not used. Either this option or the nginx option is mandatory.
           If you want to use another webserver than nginx, you need to set this to that server's user
           and pass fastcgi requests to `index.php` and `piwik.php` to this socket.
         '';
@@ -67,6 +70,7 @@ in {
         };
         description = ''
             With this option, you can customize an nginx virtualHost which already has sensible defaults for piwik.
+            Either this option or the webServerUser option is mandatory.
             Set this to {} to just enable the virtualHost if you don't need any customization.
             If enabled, then by default, the serverName is piwik.$\{config.networking.hostName\}, SSL is active,
             and certificates are acquired via ACME.
@@ -77,6 +81,14 @@ in {
   };
 
   config = mkIf cfg.enable {
+    warnings = mkIf (cfg.nginx != null && cfg.webServerUser != null) [
+      "If services.piwik.nginx is set, services.piwik.nginx.webServerUser is ignored and should be removed."
+    ];
+
+    assertions = [ {
+        assertion = cfg.nginx != null || cfg.webServerUser != null;
+        message = "Either services.piwik.nginx or services.piwik.nginx.webServerUser is mandatory";
+    }];
 
     users.extraUsers.${user} = {
       isSystemUser = true;
@@ -132,10 +144,16 @@ in {
       serviceConfig.UMask = "0007";
     };
 
-    services.phpfpm.poolConfigs = {
+    services.phpfpm.poolConfigs = let
+      # workaround for when both are null and need to generate a string,
+      # which is illegal, but as assertions apparently are being triggered *after* config generation,
+      # we have to avoid already throwing errors at this previous stage.
+      socketOwner = if (cfg.nginx != null) then config.services.nginx.user
+      else if (cfg.webServerUser != null) then cfg.webServerUser else "";
+    in {
       ${pool} = ''
         listen = "${phpSocket}"
-        listen.owner = ${cfg.webServerUser}
+        listen.owner = ${socketOwner}
         listen.group = root
         listen.mode = 0600
         user = ${user}

From ae9d311565d8c790900ebbc0976e447034930112 Mon Sep 17 00:00:00 2001
From: Florian Jacob <projects+git@florianjacob.de>
Date: Wed, 30 Aug 2017 22:13:26 +0200
Subject: [PATCH 4/4] nixos/piwik: adjust to addSSL and forceSSL now being
 mutually exclusive

---
 nixos/modules/services/web-apps/piwik.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/nixos/modules/services/web-apps/piwik.nix b/nixos/modules/services/web-apps/piwik.nix
index 8d1b3fd00e2..d59f800cf36 100644
--- a/nixos/modules/services/web-apps/piwik.nix
+++ b/nixos/modules/services/web-apps/piwik.nix
@@ -173,7 +173,6 @@ in {
 
         # allow to override SSL settings if necessary, i.e. when using another method than ACME
         # but enable them by default, as sensitive login and piwik data should not be transmitted in clear text.
-        addSSL = mkDefault true;
         forceSSL = mkDefault true;
         enableACME = mkDefault true;