Nginx option defaultListen doesn't consider unix socket paths

[Bert-Proesmans]

Describe the bug

The option services.nginx.defaultListen maps into a nginx http->server section for each defined virtual host, but this transform always sets a value on the port attribute. The mapping code assumes the addr attribute is always of type AF_INET, while AF_UNIX is also possible.

Steps To Reproduce

The nixos module stub below results in the nginx configuration stub below. Note that a port is appended to the unix socket segment.

services.nginx = {
  enable = true;
  defaultListen = [
    { addr = "unix:/run/nginx/virtualhosts.sock"; port = null; ssl = true; }
  ];

  virtualHosts = {
    "default" = {
      default = true;
      rejectSSL = true;
      locations."/".return = "404";
    };
  };
};

http {
server {
  listen unix:/run/nginx/virtualhosts.sock:443 ssl default_server ; # <-- port is added here
  server_name default ;
  ssl_reject_handshake on;
  location / {
    return 404;
  }
}
}

Expected behavior

The mapping code should not force a port if the addr has prefix unix:.
If port attribute remains at null, the port will not be written out to the nginx configuration, effectively omitting the ":443" from the above snippet

Additional context

Code in question is here (I think)

nixpkgs/nixos/modules/services/web-servers/nginx/default.nix

Lines 304 to 314 in 6df2492

	mkDefaultListenVhost = listenLines:
	# If this vhost has SSL or is a SSL rejection host.
	# We enable a TLS variant for lines without explicit ssl or ssl = true.
	optionals (hasSSL || vhost.rejectSSL)
	(map (listen: { port = cfg.defaultSSLListenPort; ssl = true; } // listen)
	(filter (listen: !(listen ? ssl) || listen.ssl) listenLines))
	# If this vhost is supposed to serve HTTP
	# We provide listen lines for those without explicit ssl or ssl = false.
	++ optionals (!onlySSL)
	(map (listen: { port = cfg.defaultHTTPListenPort; ssl = false; } // listen)
	(filter (listen: !(listen ? ssl) || !listen.ssl) listenLines));

Metadata

[bert-proesmans@development:~/nix]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.6.66, NixOS, 25.05 (Warbler), 25.05.20241219.d70bd19`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.24.11`
 - nixpkgs: `/nix/store/8fwsiv0hd7nw1brkvka0jf1frk3m7qkr-source`

Notify maintainers

No meta tag or maintainers reference, so falling back to;

• @SuperSandro2000 because of last commit author of options file on main
• @RaitoBezarius git blame result on code block in question

---

Note for maintainers: Please tag this issue in your PR.

---

Add a 👍 reaction to issues you find important.

[Bert-Proesmans]

A workaround is setting the listen configuration manually on each virtual host attribute set.
As mentioned above, the nginx configuration printer already handles an unset port correctly.

services.nginx = {
  enable = true;
  defaultListen = [
    { addr = "unix:/run/nginx/virtualhosts.sock"; port = null; ssl = true; }
  ];

  virtualHosts = 
    let
      defaultListen = {
        listen = [
          { addr = "unix:/run/nginx/virtualhosts.sock"; port = null; ssl = true; }
        ];
      };
    in
    {
    "default" = {
      default = true;
      rejectSSL = true;
      locations."/".return = "404";
    } // defaultListen;
  };
};

[SuperSandro2000]

Could you provide a fix PR for that?

[Bert-Proesmans]

Sure, is something like the following ok?

optionals (hasSSL || vhost.rejectSSL) 
     (map (listen: { port = lib.mkIf !(lib.strings.hasPrefix "unix:" cfg.addr) cfg.defaultSSLListenPort; ssl = true; } // listen) 
     [..]