back round 3 view raw

fix(pm/nginx): correct missinghost.invalid startup #151

merged
opened by a.starrysky.fyi targeting main from private/minion/push-sutwurlpzwxt

Since https://github.com/NixOS/nixpkgs/commit/2d0a48912550cdc39a64e71d09d2c838973871ad, ACME certificates have been issued using a different set of services. The missinghost.invalid configuration here ended up breaking the nginx startup by making it so no selfsigned certificate was ever generated, getting nginx to die on a missing certificate.

Additonally, also as a result of this ACME rework, Stalwart was waiting on a bunch of nonexistent things and now no longer is

options
unified split
Changed files
+11 -11
packetmix
systems
common
nginx.nix
teal
stalwart.nix
+9 -7
packetmix/systems/common/nginx.nix
··· 21 21 ''; 22 22 }; 23 23 24 - systemd.services."acme-missinghost.invalid".enable = false; 25 - systemd.timers."acme-missinghost.invalid".enable = false; 24 + systemd.services."acme-order-renew-missinghost.invalid".enable = false; 26 25 27 - systemd.targets."acme-finished-missinghost.invalid" = { 28 - requires = lib.mkForce [ "acme-selfsigned-missinghost.invalid.service" ]; 29 - after = lib.mkForce [ "acme-selfsigned-missinghost.invalid.service" ]; 26 + systemd.services."acme-missinghost.invalid" = { 27 + wants = lib.mkForce [ 28 + "acme-setup.service" 29 + ]; 30 + before = lib.mkForce [ ]; 31 + restartTriggers = lib.mkForce [ ]; 30 32 }; 31 33 32 34 security.acme.acceptTerms = true; 33 35 security.acme.certs = lib.mkIf config.services.nginx.enable { 34 36 "missinghost.invalid" = { 35 - dnsProvider = null; 37 + dnsProvider = "invalidns"; 36 38 listenHTTP = null; 37 39 s3Bucket = null; 38 - webroot = "/dev/null"; 40 + webroot = null; # We can't use webroot as the setup service validates it... 39 41 email = "invalid@missinghost.invalid"; 40 42 }; # Nix requires some values, even if we're actually disabling the acme-missinghost.invalid service... that's problematic if there are no defaults for the system 41 43 };
+2 -4
packetmix/systems/teal/stalwart.nix
··· 143 143 systemd.services.stalwart-mail = { 144 144 requires = [ "postgresql.service" ]; 145 145 wants = [ 146 - "acme-finished-mail.freshly.space.target" 146 + "acme-mail.freshly.space.service" 147 147 ] 148 - ++ (map (domain: "acme-finished-${domain}.target") mail_domains); 148 + ++ (map (domain: "acme-${domain}.service") mail_domains); 149 149 after = [ 150 - "acme-selfsigned-mail.freshly.space.service" 151 150 "acme-mail.freshly.space.service" 152 151 "postgresql.service" 153 152 ] 154 - ++ (map (domain: "acme-selfsigned-${domain}.service") mail_domains) 155 153 ++ (map (domain: "acme-${domain}.service") mail_domains); 156 154 serviceConfig.RestrictAddressFamilies = lib.mkForce [ ]; # We need the default restricted address families to access the postgres socket 157 155 };