mastus: fixes for 20.03

mastus/letsencrypt.nix

@@ -26,4 +26,6 @@
     };
   };
 
+  security.acme.acceptTerms = true;
+
 }

mastus/mail.nix

@@ -68,8 +68,6 @@
     sslServerCert = "/var/lib/acme/gebner.org/fullchain.pem";
     sslServerKey = "/var/lib/acme/gebner.org-dovecot/key.pem";
     extraConfig = ''
-      ssl_protocols = !SSLv2 !SSLv3
-
       service auth {
         unix_listener /var/lib/postfix/queue/private/auth {
           mode = 0660

mastus/vmtest.nix

@@ -28,6 +28,8 @@ let
       (haskell.lib.justStaticExecutables (haskellPackages.callPackage ../pkgs/wstunnel.nix {}))
     ];
 
+    systemd.services."acme-gebner.org".serviceConfig.ExecStart = pkgs.lib.mkForce "true";
+
     networking.extraHosts = ''
       127.0.0.1 gebner.org www.gebner.org reader.gebner.org git.gebner.org mail.gebner.org radicale.gebner.org gabrielebner.at
 

mastus/www.nix

@@ -29,4 +29,9 @@
       globalRedirect = "gebner.org";
     };
   };
+
+  # TODO: acme certificates are owned by root
+  # This workaround is from https://github.com/NixOS/nixpkgs/pull/84960
+  services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};'';
+  systemd.services.nginx.serviceConfig.User = pkgs.lib.mkForce "root";
 }