about summary refs log tree commit diff
path: root/users/tazjin/nixos/camden
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2022-05-26T14·39+0200
committerclbot <clbot@tvl.fyi>2022-05-26T15·40+0000
commit565993f016734c461fa0ae66117eaf081818f5ce (patch)
tree5215b1daa015c9ca2e4dc647bfa000c1faedaec1 /users/tazjin/nixos/camden
parent48dfefe40da98012b6fbfc0eaf0933389095c1c5 (diff)
refactor(tazjin): Additional restricted-eval cleanup r/4137
Change-Id: I4baa94f65a16248023b5fb0e2dd305d6984566c8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5690
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Diffstat (limited to 'users/tazjin/nixos/camden')
-rw-r--r--users/tazjin/nixos/camden/default.nix27
1 files changed, 6 insertions, 21 deletions
diff --git a/users/tazjin/nixos/camden/default.nix b/users/tazjin/nixos/camden/default.nix
index 4f046d8ec157..6568d6341e1b 100644
--- a/users/tazjin/nixos/camden/default.nix
+++ b/users/tazjin/nixos/camden/default.nix
@@ -10,25 +10,13 @@ let
 
     extraConfig = "return 301 https://${to}$request_uri;";
   };
+  mod = name: depot.path.origSrc + ("/ops/modules/" + name);
 in
 lib.fix (self: {
-  # Disable the current ACME module and use the old one from 19.09
-  # instead, until the various regressions have been sorted out.
-  # TODO(tazjin): Remove this once the new ACME module works.
-  disabledModules = [ "security/acme" ];
-  imports =
-    let
-      oldChannel = fetchTarball {
-        # NixOS 19.09 on 2020-10-04
-        url = "https://github.com/NixOS/nixpkgs-channels/archive/75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1.tar.gz";
-        sha256 = "157c64220lf825ll4c0cxsdwg7cxqdx4z559fdp7kpz0g6p8fhhr";
-      };
-    in
-    [
-      "${depot.path}/ops/modules/quassel.nix"
-      "${depot.path}/ops/modules/smtprelay.nix"
-      "${oldChannel}/nixos/modules/security/acme.nix"
-    ];
+  imports = [
+    (mod "quassel.nix")
+    (mod "smtprelay.nix")
+  ];
 
   # camden is intended to boot unattended, despite having an encrypted
   # root partition.
@@ -201,11 +189,10 @@ lib.fix (self: {
   # Provision a TLS certificate outside of nginx to avoid
   # nixpkgs#38144
   security.acme = {
-    # acceptTerms = true;
+    acceptTerms = true;
 
     certs."tazj.in" = {
       email = "mail@tazj.in";
-      user = "nginx";
       group = "nginx";
       webroot = "/var/lib/acme/acme-challenge";
       extraDomains = {
@@ -222,9 +209,7 @@ lib.fix (self: {
     certs."quassel.tazj.in" = {
       email = "mail@tazj.in";
       webroot = "/var/lib/acme/challenge-quassel";
-      user = "nginx"; # required because of a bug in the ACME module
       group = "quassel";
-      allowKeysForGroup = true;
     };
   };