From 041633d012360361e38b986d571643c74f068ffc Mon Sep 17 00:00:00 2001
From: Skyler Grey <minion@freshlybakedca.ke>
Date: Sun, 4 Jan 2026 23:43:15 +0000
Subject: [PATCH] fix(pm/nginx): correct missinghost.invalid startup
Change-Id: sutwurlpzwxtnzlwxrvmoysnmoonkpqr

Since https://github.com/NixOS/nixpkgs/commit/2d0a48912550cdc39a64e71d09d2c838973871ad,
ACME certificates have been issued using a different set of services.
The missinghost.invalid configuration here ended up breaking the nginx
startup by making it so no selfsigned certificate was ever generated,
getting nginx to die on a missing certificate.

Additonally, also as a result of this ACME rework, Stalwart was waiting
on a bunch of nonexistent things and now no longer is
---
 packetmix/systems/common/nginx.nix  | 12 +++++++-----
 packetmix/systems/teal/stalwart.nix |  6 ++----
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/packetmix/systems/common/nginx.nix b/packetmix/systems/common/nginx.nix
index f91803fb..2b0c5d8e 100644
--- a/packetmix/systems/common/nginx.nix
+++ b/packetmix/systems/common/nginx.nix
@@ -21,12 +21,14 @@
     '';
   };
 
-  systemd.services."acme-missinghost.invalid".enable = false;
-  systemd.timers."acme-missinghost.invalid".enable = false;
+  systemd.services."acme-order-renew-missinghost.invalid".enable = false;
 
-  systemd.targets."acme-finished-missinghost.invalid" = {
-    requires = lib.mkForce [ "acme-selfsigned-missinghost.invalid.service" ];
-    after = lib.mkForce [ "acme-selfsigned-missinghost.invalid.service" ];
+  systemd.services."acme-missinghost.invalid" = {
+    wants = lib.mkForce [
+      "acme-setup.service"
+    ];
+    before = lib.mkForce [ ];
+    restartTriggers = lib.mkForce [ ];
   };
 
   security.acme.acceptTerms = true;
diff --git a/packetmix/systems/teal/stalwart.nix b/packetmix/systems/teal/stalwart.nix
index a01063b8..71a204f5 100644
--- a/packetmix/systems/teal/stalwart.nix
+++ b/packetmix/systems/teal/stalwart.nix
@@ -143,15 +143,13 @@ in
     systemd.services.stalwart-mail = {
       requires = [ "postgresql.service" ];
       wants = [
-        "acme-finished-mail.freshly.space.target"
+        "acme-mail.freshly.space.service"
       ]
-      ++ (map (domain: "acme-finished-${domain}.target") mail_domains);
+      ++ (map (domain: "acme-${domain}.service") mail_domains);
       after = [
-        "acme-selfsigned-mail.freshly.space.service"
         "acme-mail.freshly.space.service"
         "postgresql.service"
       ]
-      ++ (map (domain: "acme-selfsigned-${domain}.service") mail_domains)
       ++ (map (domain: "acme-${domain}.service") mail_domains);
       serviceConfig.RestrictAddressFamilies = lib.mkForce [ ]; # We need the default restricted address families to access the postgres socket
     };
-- 
2.43.0