From 565993f016734c461fa0ae66117eaf081818f5ce Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Thu, 26 May 2022 16:39:56 +0200
Subject: refactor(tazjin): Additional restricted-eval cleanup

Change-Id: I4baa94f65a16248023b5fb0e2dd305d6984566c8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5690
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
---
 users/tazjin/nixos/camden/default.nix | 27 ++++++---------------------
 users/tazjin/nixos/frog/default.nix   |  2 +-
 2 files changed, 7 insertions(+), 22 deletions(-)

diff --git a/users/tazjin/nixos/camden/default.nix b/users/tazjin/nixos/camden/default.nix
index 4f046d8ec1..6568d6341e 100644
--- a/users/tazjin/nixos/camden/default.nix
+++ b/users/tazjin/nixos/camden/default.nix
@@ -10,25 +10,13 @@ let
 
     extraConfig = "return 301 https://${to}$request_uri;";
   };
+  mod = name: depot.path.origSrc + ("/ops/modules/" + name);
 in
 lib.fix (self: {
-  # Disable the current ACME module and use the old one from 19.09
-  # instead, until the various regressions have been sorted out.
-  # TODO(tazjin): Remove this once the new ACME module works.
-  disabledModules = [ "security/acme" ];
-  imports =
-    let
-      oldChannel = fetchTarball {
-        # NixOS 19.09 on 2020-10-04
-        url = "https://github.com/NixOS/nixpkgs-channels/archive/75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1.tar.gz";
-        sha256 = "157c64220lf825ll4c0cxsdwg7cxqdx4z559fdp7kpz0g6p8fhhr";
-      };
-    in
-    [
-      "${depot.path}/ops/modules/quassel.nix"
-      "${depot.path}/ops/modules/smtprelay.nix"
-      "${oldChannel}/nixos/modules/security/acme.nix"
-    ];
+  imports = [
+    (mod "quassel.nix")
+    (mod "smtprelay.nix")
+  ];
 
   # camden is intended to boot unattended, despite having an encrypted
   # root partition.
@@ -201,11 +189,10 @@ lib.fix (self: {
   # Provision a TLS certificate outside of nginx to avoid
   # nixpkgs#38144
   security.acme = {
-    # acceptTerms = true;
+    acceptTerms = true;
 
     certs."tazj.in" = {
       email = "mail@tazj.in";
-      user = "nginx";
       group = "nginx";
       webroot = "/var/lib/acme/acme-challenge";
       extraDomains = {
@@ -222,9 +209,7 @@ lib.fix (self: {
     certs."quassel.tazj.in" = {
       email = "mail@tazj.in";
       webroot = "/var/lib/acme/challenge-quassel";
-      user = "nginx"; # required because of a bug in the ACME module
       group = "quassel";
-      allowKeysForGroup = true;
     };
   };
 
diff --git a/users/tazjin/nixos/frog/default.nix b/users/tazjin/nixos/frog/default.nix
index 6a9848fbe0..35d7f9c775 100644
--- a/users/tazjin/nixos/frog/default.nix
+++ b/users/tazjin/nixos/frog/default.nix
@@ -12,7 +12,7 @@ let
 in
 lib.fix (self: {
   imports = [
-    "${depot.path}/ops/modules/v4l2loopback.nix"
+    (depot.path.origSrc + "/ops/modules/v4l2loopback.nix")
   ];
 
   boot = {
-- 
cgit 1.4.1