From b311268a50c34f28797a45f6febcff11c4b498a0 Mon Sep 17 00:00:00 2001
From: Gabriel Ebner <gebner@gebner.org>
Date: Fri, 30 Oct 2020 19:06:17 +0100
Subject: [PATCH] mastus: acme breakage

---
 mastus/letsencrypt.nix | 20 ++++++++++----------
 mastus/radicale.nix    |  2 +-
 mastus/ttrss.nix       |  2 +-
 mastus/website.nix     |  3 +--
 mastus/www.nix         |  4 ----
 5 files changed, 13 insertions(+), 18 deletions(-)

diff --git a/mastus/letsencrypt.nix b/mastus/letsencrypt.nix
index d91e0ba..38e3f1a 100644
--- a/mastus/letsencrypt.nix
+++ b/mastus/letsencrypt.nix
@@ -5,16 +5,16 @@
     "gebner.org" = {
       webroot = "/var/lib/acme/acme-challenge";
       email = "gebner@gebner.org";
-      extraDomains = {
-        "git.gebner.org" = null;
-        "mail.gebner.org" = null;
-        "gebner.org" = null;
-        "www.gebner.org" = null;
-        "gabrielebner.at" = null;
-        "www.gabrielebner.at" = null;
-        "2b7e.org" = null;
-        "www.2b7e.org" = null;
-      };
+      extraDomains = [
+        "git.gebner.org"
+        "mail.gebner.org"
+        "gebner.org"
+        "www.gebner.org"
+        "gabrielebner.at"
+        "www.gabrielebner.at"
+        "2b7e.org"
+        "www.2b7e.org"
+      ];
 
       postRun = ''
         systemctl reload nginx
diff --git a/mastus/radicale.nix b/mastus/radicale.nix
index 13d4304..a5f1aad 100644
--- a/mastus/radicale.nix
+++ b/mastus/radicale.nix
@@ -24,7 +24,7 @@ in
     '';
   };
 
-  security.acme.certs."gebner.org".extraDomains."radicale.gebner.org" = null;
+  security.acme.certs."gebner.org".extraDomainNames = [ "radicale.gebner.org" ];
 
   services.nginx = {
     recommendedProxySettings = true;
diff --git a/mastus/ttrss.nix b/mastus/ttrss.nix
index 5da7ab0..560b975 100644
--- a/mastus/ttrss.nix
+++ b/mastus/ttrss.nix
@@ -65,7 +65,7 @@
   networking.nat.internalInterfaces = ["ve-+"];
   networking.nat.externalInterface = "ens3";
 
-  security.acme.certs."gebner.org".extraDomains."reader.gebner.org" = null;
+  security.acme.certs."gebner.org".extraDomainNames = [ "reader.gebner.org" ];
 
   services.nginx = {
     virtualHosts."reader.gebner.org" = {
diff --git a/mastus/website.nix b/mastus/website.nix
index e388c91..9e37955 100644
--- a/mastus/website.nix
+++ b/mastus/website.nix
@@ -5,11 +5,10 @@
   services.nginx = {
     virtualHosts."gebner.org" = {
       enableACME = true;
-      useACMEHost = "gebner.org";
       forceSSL = true;
       root = "/srv/www.gebner.org";
       extraConfig = ''
-        access_log logs/website_access.log;
+        access_log /var/log/nginx/website_access.log;
 
         error_page 404 403 /404.html;
 
diff --git a/mastus/www.nix b/mastus/www.nix
index d0b48b2..83961f4 100644
--- a/mastus/www.nix
+++ b/mastus/www.nix
@@ -30,8 +30,4 @@
     };
   };
 
-  # TODO: acme certificates are owned by root
-  # This workaround is from https://github.com/NixOS/nixpkgs/pull/84960
-  services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};'';
-  systemd.services.nginx.serviceConfig.User = pkgs.lib.mkForce "root";
 }