diff --git a/mastus/letsencrypt.nix b/mastus/letsencrypt.nix index f7d0626..d91e0ba 100644 --- a/mastus/letsencrypt.nix +++ b/mastus/letsencrypt.nix @@ -26,4 +26,6 @@ }; }; + security.acme.acceptTerms = true; + } diff --git a/mastus/mail.nix b/mastus/mail.nix index d857d19..aa87845 100644 --- a/mastus/mail.nix +++ b/mastus/mail.nix @@ -68,8 +68,6 @@ sslServerCert = "/var/lib/acme/gebner.org/fullchain.pem"; sslServerKey = "/var/lib/acme/gebner.org-dovecot/key.pem"; extraConfig = '' - ssl_protocols = !SSLv2 !SSLv3 - service auth { unix_listener /var/lib/postfix/queue/private/auth { mode = 0660 diff --git a/mastus/vmtest.nix b/mastus/vmtest.nix index 8cee5ad..6b76fca 100644 --- a/mastus/vmtest.nix +++ b/mastus/vmtest.nix @@ -28,6 +28,8 @@ let (haskell.lib.justStaticExecutables (haskellPackages.callPackage ../pkgs/wstunnel.nix {})) ]; + systemd.services."acme-gebner.org".serviceConfig.ExecStart = pkgs.lib.mkForce "true"; + networking.extraHosts = '' 127.0.0.1 gebner.org www.gebner.org reader.gebner.org git.gebner.org mail.gebner.org radicale.gebner.org gabrielebner.at diff --git a/mastus/www.nix b/mastus/www.nix index bb03b21..d0b48b2 100644 --- a/mastus/www.nix +++ b/mastus/www.nix @@ -29,4 +29,9 @@ globalRedirect = "gebner.org"; }; }; + + # TODO: acme certificates are owned by root + # This workaround is from https://github.com/NixOS/nixpkgs/pull/84960 + services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};''; + systemd.services.nginx.serviceConfig.User = pkgs.lib.mkForce "root"; }