maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(tazjin/camden): Backport 19.09 ACME module

Browse source 
The new one is causing breakage for me, but I have no time to debug
this, so I'm backporting the old one.

AFAICT the simp_le included in this channel should be new enough to
have ACMEv2 compat, we'll see if it works.

Change-Id: Ib8b869a5af8a0418a66017a0cf3b9336df5f2d05
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2017
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
This commit is contained in:
Vincent Ambo 2020-10-04 11:30:51 +00:00 committed by tazjin
parent 3fc1143a04
commit 2670f84f5f
1 changed files with 20 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

21
users/tazjin/nixos/camden/default.nix
View file

@ -14,12 +14,24 @@ config: let
extraConfig = "return 301 https://${to}$request_uri;"; extraConfig = "return 301 https://${to}$request_uri;";
}; };
in lib.fix(self: { in lib.fix(self: {
imports = [ depot = depot;
# Disable the current ACME module and use the old one from 19.09
# instead, until the various regressions have been sorted out.
# TODO(tazjin): Remove this once the new ACME module works.
disabledModules = [ "security/acme.nix" ];
imports =
let oldChannel = fetchTarball {
# NixOS 19.09 on 2020-10-04
url = "https://github.com/NixOS/nixpkgs-channels/archive/75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1.tar.gz";
sha256 = "157c64220lf825ll4c0cxsdwg7cxqdx4z559fdp7kpz0g6p8fhhr";
};
in [
"${depot.depotPath}/ops/nixos/depot.nix" "${depot.depotPath}/ops/nixos/depot.nix"
"${depot.depotPath}/ops/nixos/quassel.nix" "${depot.depotPath}/ops/nixos/quassel.nix"
"${depot.depotPath}/ops/nixos/smtprelay.nix" "${depot.depotPath}/ops/nixos/smtprelay.nix"
"${oldChannel}/nixos/modules/security/acme.nix"
]; ];
depot = depot;
# camden is intended to boot unattended, despite having an encrypted # camden is intended to boot unattended, despite having an encrypted
# root partition. # root partition.
@ -186,10 +198,10 @@ in lib.fix(self: {
# Provision a TLS certificate outside of nginx to avoid # Provision a TLS certificate outside of nginx to avoid
# nixpkgs#38144 # nixpkgs#38144
security.acme = { security.acme = {
acceptTerms = true; # acceptTerms = true;
email = "mail@tazj.in";
certs."tazj.in" = { certs."tazj.in" = {
email = "mail@tazj.in";
user = "nginx"; user = "nginx";
group = "nginx"; group = "nginx";
webroot = "/var/lib/acme/acme-challenge"; webroot = "/var/lib/acme/acme-challenge";
@ -205,6 +217,7 @@ in lib.fix(self: {
}; };
certs."quassel.tazj.in" = { certs."quassel.tazj.in" = {
email = "mail@tazj.in";
webroot = "/var/lib/acme/challenge-quassel"; webroot = "/var/lib/acme/challenge-quassel";
user = "nginx"; # required because of a bug in the ACME module user = "nginx"; # required because of a bug in the ACME module
group = "quassel"; group = "quassel";