diff options
author | Vincent Ambo <mail@tazj.in> | 2022-05-26T14·39+0200 |
---|---|---|
committer | clbot <clbot@tvl.fyi> | 2022-05-26T15·40+0000 |
commit | 565993f016734c461fa0ae66117eaf081818f5ce (patch) | |
tree | 5215b1daa015c9ca2e4dc647bfa000c1faedaec1 /users/tazjin/nixos/camden | |
parent | 48dfefe40da98012b6fbfc0eaf0933389095c1c5 (diff) |
refactor(tazjin): Additional restricted-eval cleanup r/4137
Change-Id: I4baa94f65a16248023b5fb0e2dd305d6984566c8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5690 Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
Diffstat (limited to 'users/tazjin/nixos/camden')
-rw-r--r-- | users/tazjin/nixos/camden/default.nix | 27 |
1 files changed, 6 insertions, 21 deletions
diff --git a/users/tazjin/nixos/camden/default.nix b/users/tazjin/nixos/camden/default.nix index 4f046d8ec157..6568d6341e1b 100644 --- a/users/tazjin/nixos/camden/default.nix +++ b/users/tazjin/nixos/camden/default.nix @@ -10,25 +10,13 @@ let extraConfig = "return 301 https://${to}$request_uri;"; }; + mod = name: depot.path.origSrc + ("/ops/modules/" + name); in lib.fix (self: { - # Disable the current ACME module and use the old one from 19.09 - # instead, until the various regressions have been sorted out. - # TODO(tazjin): Remove this once the new ACME module works. - disabledModules = [ "security/acme" ]; - imports = - let - oldChannel = fetchTarball { - # NixOS 19.09 on 2020-10-04 - url = "https://github.com/NixOS/nixpkgs-channels/archive/75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1.tar.gz"; - sha256 = "157c64220lf825ll4c0cxsdwg7cxqdx4z559fdp7kpz0g6p8fhhr"; - }; - in - [ - "${depot.path}/ops/modules/quassel.nix" - "${depot.path}/ops/modules/smtprelay.nix" - "${oldChannel}/nixos/modules/security/acme.nix" - ]; + imports = [ + (mod "quassel.nix") + (mod "smtprelay.nix") + ]; # camden is intended to boot unattended, despite having an encrypted # root partition. @@ -201,11 +189,10 @@ lib.fix (self: { # Provision a TLS certificate outside of nginx to avoid # nixpkgs#38144 security.acme = { - # acceptTerms = true; + acceptTerms = true; certs."tazj.in" = { email = "mail@tazj.in"; - user = "nginx"; group = "nginx"; webroot = "/var/lib/acme/acme-challenge"; extraDomains = { @@ -222,9 +209,7 @@ lib.fix (self: { certs."quassel.tazj.in" = { email = "mail@tazj.in"; webroot = "/var/lib/acme/challenge-quassel"; - user = "nginx"; # required because of a bug in the ACME module group = "quassel"; - allowKeysForGroup = true; }; }; |