diff options
| author | Vincent Ambo <tazjin@google.com> | 2020-10-04T11·30+0000 |
|---|---|---|
| committer | tazjin <mail@tazj.in> | 2020-10-04T15·51+0000 |
| commit | 2670f84f5f34699776ff51a2afb1b737737cedaa (patch) | |
| tree | be926de165feaeb415924c112656679b8e3a7fe6 | |
| parent | 3fc1143a04da49a92c3663813c6a0c1e8ccd477f (diff) | |
fix(tazjin/camden): Backport 19.09 ACME module r/1832
The new one is causing breakage for me, but I have no time to debug this, so I'm backporting the old one. AFAICT the simp_le included in this channel should be new enough to have ACMEv2 compat, we'll see if it works. Change-Id: Ib8b869a5af8a0418a66017a0cf3b9336df5f2d05 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2017 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi>
| -rw-r--r-- | users/tazjin/nixos/camden/default.nix | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/users/tazjin/nixos/camden/default.nix b/users/tazjin/nixos/camden/default.nix index f1cbffd305..aae1427f67 100644 --- a/users/tazjin/nixos/camden/default.nix +++ b/users/tazjin/nixos/camden/default.nix @@ -14,13 +14,25 @@ config: let extraConfig = "return 301 https://${to}$request_uri;"; }; in lib.fix(self: { - imports = [ - "${depot.depotPath}/ops/nixos/depot.nix" - "${depot.depotPath}/ops/nixos/quassel.nix" - "${depot.depotPath}/ops/nixos/smtprelay.nix" - ]; depot = depot; + # Disable the current ACME module and use the old one from 19.09 + # instead, until the various regressions have been sorted out. + # TODO(tazjin): Remove this once the new ACME module works. + disabledModules = [ "security/acme.nix" ]; + imports = + let oldChannel = fetchTarball { + # NixOS 19.09 on 2020-10-04 + url = "https://github.com/NixOS/nixpkgs-channels/archive/75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1.tar.gz"; + sha256 = "157c64220lf825ll4c0cxsdwg7cxqdx4z559fdp7kpz0g6p8fhhr"; + }; + in [ + "${depot.depotPath}/ops/nixos/depot.nix" + "${depot.depotPath}/ops/nixos/quassel.nix" + "${depot.depotPath}/ops/nixos/smtprelay.nix" + "${oldChannel}/nixos/modules/security/acme.nix" + ]; + # camden is intended to boot unattended, despite having an encrypted # root partition. # @@ -186,10 +198,10 @@ in lib.fix(self: { # Provision a TLS certificate outside of nginx to avoid # nixpkgs#38144 security.acme = { - acceptTerms = true; - email = "mail@tazj.in"; + # acceptTerms = true; certs."tazj.in" = { + email = "mail@tazj.in"; user = "nginx"; group = "nginx"; webroot = "/var/lib/acme/acme-challenge"; @@ -205,6 +217,7 @@ in lib.fix(self: { }; certs."quassel.tazj.in" = { + email = "mail@tazj.in"; webroot = "/var/lib/acme/challenge-quassel"; user = "nginx"; # required because of a bug in the ACME module group = "quassel"; |