mastus: acme breakage

2020-10-30 19:06:17 +01:00 · 2020-10-30 19:06:17 +01:00 · b311268a50
commit b311268a50
parent 40783c7331
5 changed files with 13 additions and 18 deletions
--- a/mastus/letsencrypt.nix
+++ b/mastus/letsencrypt.nix
@ -5,16 +5,16 @@
    "gebner.org" = {
      webroot = "/var/lib/acme/acme-challenge";
      email = "gebner@gebner.org";
-      extraDomains = {
-        "git.gebner.org" = null;
-        "mail.gebner.org" = null;
-        "gebner.org" = null;
-        "www.gebner.org" = null;
-        "gabrielebner.at" = null;
-        "www.gabrielebner.at" = null;
-        "2b7e.org" = null;
-        "www.2b7e.org" = null;
-      };
+      extraDomains = [
+        "git.gebner.org"
+        "mail.gebner.org"
+        "gebner.org"
+        "www.gebner.org"
+        "gabrielebner.at"
+        "www.gabrielebner.at"
+        "2b7e.org"
+        "www.2b7e.org"
+      ];

      postRun = ''
        systemctl reload nginx
--- a/mastus/radicale.nix
+++ b/mastus/radicale.nix
@ -24,7 +24,7 @@ in
    '';
  };

-  security.acme.certs."gebner.org".extraDomains."radicale.gebner.org" = null;
+  security.acme.certs."gebner.org".extraDomainNames = [ "radicale.gebner.org" ];

  services.nginx = {
    recommendedProxySettings = true;
--- a/mastus/ttrss.nix
+++ b/mastus/ttrss.nix
@ -65,7 +65,7 @@
  networking.nat.internalInterfaces = ["ve-+"];
  networking.nat.externalInterface = "ens3";

-  security.acme.certs."gebner.org".extraDomains."reader.gebner.org" = null;
+  security.acme.certs."gebner.org".extraDomainNames = [ "reader.gebner.org" ];

  services.nginx = {
    virtualHosts."reader.gebner.org" = {
--- a/mastus/website.nix
+++ b/mastus/website.nix
@ -5,11 +5,10 @@
  services.nginx = {
    virtualHosts."gebner.org" = {
      enableACME = true;
-      useACMEHost = "gebner.org";
      forceSSL = true;
      root = "/srv/www.gebner.org";
      extraConfig = ''
-        access_log logs/website_access.log;
+        access_log /var/log/nginx/website_access.log;

        error_page 404 403 /404.html;

--- a/mastus/www.nix
+++ b/mastus/www.nix
@ -30,8 +30,4 @@
    };
  };

-  # TODO: acme certificates are owned by root
-  # This workaround is from https://github.com/NixOS/nixpkgs/pull/84960
-  services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};'';
-  systemd.services.nginx.serviceConfig.User = pkgs.lib.mkForce "root";
 }