fix(tazjin/camden): Backport 19.09 ACME module

The new one is causing breakage for me, but I have no time to debug
this, so I'm backporting the old one.

AFAICT the simp_le included in this channel should be new enough to
have ACMEv2 compat, we'll see if it works.

Change-Id: Ib8b869a5af8a0418a66017a0cf3b9336df5f2d05
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2017
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>
This commit is contained in:
Vincent Ambo 2020-10-04 11:30:51 +00:00 committed by tazjin
parent 3fc1143a04
commit 2670f84f5f

View file

@ -14,13 +14,25 @@ config: let
extraConfig = "return 301 https://${to}$request_uri;";
};
in lib.fix(self: {
imports = [
"${depot.depotPath}/ops/nixos/depot.nix"
"${depot.depotPath}/ops/nixos/quassel.nix"
"${depot.depotPath}/ops/nixos/smtprelay.nix"
];
depot = depot;
# Disable the current ACME module and use the old one from 19.09
# instead, until the various regressions have been sorted out.
# TODO(tazjin): Remove this once the new ACME module works.
disabledModules = [ "security/acme.nix" ];
imports =
let oldChannel = fetchTarball {
# NixOS 19.09 on 2020-10-04
url = "https://github.com/NixOS/nixpkgs-channels/archive/75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1.tar.gz";
sha256 = "157c64220lf825ll4c0cxsdwg7cxqdx4z559fdp7kpz0g6p8fhhr";
};
in [
"${depot.depotPath}/ops/nixos/depot.nix"
"${depot.depotPath}/ops/nixos/quassel.nix"
"${depot.depotPath}/ops/nixos/smtprelay.nix"
"${oldChannel}/nixos/modules/security/acme.nix"
];
# camden is intended to boot unattended, despite having an encrypted
# root partition.
#
@ -186,10 +198,10 @@ in lib.fix(self: {
# Provision a TLS certificate outside of nginx to avoid
# nixpkgs#38144
security.acme = {
acceptTerms = true;
email = "mail@tazj.in";
# acceptTerms = true;
certs."tazj.in" = {
email = "mail@tazj.in";
user = "nginx";
group = "nginx";
webroot = "/var/lib/acme/acme-challenge";
@ -205,6 +217,7 @@ in lib.fix(self: {
};
certs."quassel.tazj.in" = {
email = "mail@tazj.in";
webroot = "/var/lib/acme/challenge-quassel";
user = "nginx"; # required because of a bug in the ACME module
group = "quassel";