From d10742e1819463a52ec24dd14ecc997c4af42b53 Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Sun, 4 Jan 2026 23:43:15 +0000 Subject: [PATCH] fix(pm/nginx): correct missinghost.invalid startup Change-Id: sutwurlpzwxtnzlwxrvmoysnmoonkpqr Since https://github.com/NixOS/nixpkgs/commit/2d0a48912550cdc39a64e71d09d2c838973871ad, ACME certificates have been issued using a different set of services. The missinghost.invalid configuration here ended up breaking the nginx startup by making it so no selfsigned certificate was ever generated, getting nginx to die on a missing certificate. Additonally, also as a result of this ACME rework, Stalwart was waiting on a bunch of nonexistent things and now no longer is --- packetmix/systems/common/nginx.nix | 16 +++++++++------- packetmix/systems/teal/stalwart.nix | 6 ++---- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/packetmix/systems/common/nginx.nix b/packetmix/systems/common/nginx.nix index f91803fb..0fc30b66 100644 --- a/packetmix/systems/common/nginx.nix +++ b/packetmix/systems/common/nginx.nix @@ -21,21 +21,23 @@ ''; }; - systemd.services."acme-missinghost.invalid".enable = false; - systemd.timers."acme-missinghost.invalid".enable = false; + systemd.services."acme-order-renew-missinghost.invalid".enable = false; - systemd.targets."acme-finished-missinghost.invalid" = { - requires = lib.mkForce [ "acme-selfsigned-missinghost.invalid.service" ]; - after = lib.mkForce [ "acme-selfsigned-missinghost.invalid.service" ]; + systemd.services."acme-missinghost.invalid" = { + wants = lib.mkForce [ + "acme-setup.service" + ]; + before = lib.mkForce [ ]; + restartTriggers = lib.mkForce [ ]; }; security.acme.acceptTerms = true; security.acme.certs = lib.mkIf config.services.nginx.enable { "missinghost.invalid" = { - dnsProvider = null; + dnsProvider = "invalidns"; listenHTTP = null; s3Bucket = null; - webroot = "/dev/null"; + webroot = null; # We can't use webroot as the setup service validates it... email = "invalid@missinghost.invalid"; }; # Nix requires some values, even if we're actually disabling the acme-missinghost.invalid service... that's problematic if there are no defaults for the system }; diff --git a/packetmix/systems/teal/stalwart.nix b/packetmix/systems/teal/stalwart.nix index a01063b8..71a204f5 100644 --- a/packetmix/systems/teal/stalwart.nix +++ b/packetmix/systems/teal/stalwart.nix @@ -143,15 +143,13 @@ in systemd.services.stalwart-mail = { requires = [ "postgresql.service" ]; wants = [ - "acme-finished-mail.freshly.space.target" + "acme-mail.freshly.space.service" ] - ++ (map (domain: "acme-finished-${domain}.target") mail_domains); + ++ (map (domain: "acme-${domain}.service") mail_domains); after = [ - "acme-selfsigned-mail.freshly.space.service" "acme-mail.freshly.space.service" "postgresql.service" ] - ++ (map (domain: "acme-selfsigned-${domain}.service") mail_domains) ++ (map (domain: "acme-${domain}.service") mail_domains); serviceConfig.RestrictAddressFamilies = lib.mkForce [ ]; # We need the default restricted address families to access the postgres socket }; -- 2.43.0