From 41448f0c23197c6daeaa5946c38bb7450c204581 Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Mon, 31 Oct 2022 18:42:09 +0100
Subject: [PATCH] cluster/services/nginx: switch to OpenSSL 1.1 to mitigate a
 to-be-disclosed vulnerability

---
 cluster/services/nginx/default.nix     | 2 +-
 cluster/services/nginx/openssl-1.1.nix | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 cluster/services/nginx/openssl-1.1.nix

diff --git a/cluster/services/nginx/default.nix b/cluster/services/nginx/default.nix
index fa27013..594cb0f 100644
--- a/cluster/services/nginx/default.nix
+++ b/cluster/services/nginx/default.nix
@@ -1,6 +1,6 @@
 {
   services.nginx = {
     nodes.host = [ "VEGAS" "prophet" ];
-    nixos.host = [ ./nginx.nix ];
+    nixos.host = [ ./nginx.nix ./openssl-1.1.nix ];
   };
 }
diff --git a/cluster/services/nginx/openssl-1.1.nix b/cluster/services/nginx/openssl-1.1.nix
new file mode 100644
index 0000000..1591557
--- /dev/null
+++ b/cluster/services/nginx/openssl-1.1.nix
@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+
+{
+  services.nginx.package = pkgs.nginx.override {
+    openssl = pkgs.openssl_1_1;
+  };
+}