diff options
Diffstat (limited to 'users/tazjin/nixos/camden')
-rw-r--r-- | users/tazjin/nixos/camden/default.nix | 27 |
1 files changed, 6 insertions, 21 deletions
diff --git a/users/tazjin/nixos/camden/default.nix b/users/tazjin/nixos/camden/default.nix index 4f046d8ec157..6568d6341e1b 100644 --- a/users/tazjin/nixos/camden/default.nix +++ b/users/tazjin/nixos/camden/default.nix @@ -10,25 +10,13 @@ let extraConfig = "return 301 https://${to}$request_uri;"; }; + mod = name: depot.path.origSrc + ("/ops/modules/" + name); in lib.fix (self: { - # Disable the current ACME module and use the old one from 19.09 - # instead, until the various regressions have been sorted out. - # TODO(tazjin): Remove this once the new ACME module works. - disabledModules = [ "security/acme" ]; - imports = - let - oldChannel = fetchTarball { - # NixOS 19.09 on 2020-10-04 - url = "https://github.com/NixOS/nixpkgs-channels/archive/75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1.tar.gz"; - sha256 = "157c64220lf825ll4c0cxsdwg7cxqdx4z559fdp7kpz0g6p8fhhr"; - }; - in - [ - "${depot.path}/ops/modules/quassel.nix" - "${depot.path}/ops/modules/smtprelay.nix" - "${oldChannel}/nixos/modules/security/acme.nix" - ]; + imports = [ + (mod "quassel.nix") + (mod "smtprelay.nix") + ]; # camden is intended to boot unattended, despite having an encrypted # root partition. @@ -201,11 +189,10 @@ lib.fix (self: { # Provision a TLS certificate outside of nginx to avoid # nixpkgs#38144 security.acme = { - # acceptTerms = true; + acceptTerms = true; certs."tazj.in" = { email = "mail@tazj.in"; - user = "nginx"; group = "nginx"; webroot = "/var/lib/acme/acme-challenge"; extraDomains = { @@ -222,9 +209,7 @@ lib.fix (self: { certs."quassel.tazj.in" = { email = "mail@tazj.in"; webroot = "/var/lib/acme/challenge-quassel"; - user = "nginx"; # required because of a bug in the ACME module group = "quassel"; - allowKeysForGroup = true; }; }; |