cluster/services/acme-client/client.nix

@@ -32,10 +32,7 @@ in
     owner = "acme";
   };
 
-  security.acme.acceptTerms = true;
-  security.acme.maxConcurrentRenewals = 0;
   security.acme.defaults = {
-    email = depot.lib.meta.adminEmail;
     extraLegoFlags = lib.flatten [
       (map (x: [ "--dns.resolvers" x ]) authoritativeServers)
       "--dns-timeout" "30"
@@ -45,38 +42,4 @@ in
       EXEC_ENV_FILE=${config.age.secrets.acmeDnsApiKey.path}
     '';
   };
-
-  systemd.services = lib.mapAttrs' (name: value: {
-    name = "acme-${name}";
-    value = {
-      distributed.enable = value.dnsProvider != null;
-      preStart = let
-        serverList = lib.pipe authoritativeServers [
-          (map (x: "@${x}"))
-          (map (lib.replaceStrings [":53"] [""]))
-          lib.escapeShellArgs
-        ];
-        domainList = lib.pipe ([ value.domain ] ++ value.extraDomainNames) [
-          (map (x: "${x}."))
-          (map (lib.replaceStrings ["*"] ["x"]))
-          lib.unique
-          lib.escapeShellArgs
-        ];
-      in ''
-        echo Testing availability of authoritative DNS servers
-        for i in {1..60}; do
-          ${pkgs.dig}/bin/dig +short ${serverList} ${domainList} >/dev/null && break
-          echo Retry [$i/60]
-          sleep 10
-        done
-        echo Available
-      '';
-      serviceConfig = {
-        Restart = "on-failure";
-        RestartMaxDelaySec = 30;
-        RestartStesp = 5;
-        RestartMode = "direct";
-      };
-    };
-  }) config.security.acme.certs;
 }

cluster/services/nginx/nginx.nix

@@ -1,6 +1,10 @@
-{ config, ... }:
+{ config, depot, ... }:
 
-{
+let
+  inherit (depot.lib.meta) adminEmail;
+in {
+  security.acme.defaults.email = adminEmail;
+  security.acme.acceptTerms = true;
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;

cluster/services/ways/host.nix

@@ -69,16 +69,11 @@ in
         {
           source = let
             upstreams = lib.mapAttrsToList (_: cfg: ''
-              {{ if ne (len (service "${cfg.consulService}~_agent")) 0 }}
-              # ${cfg.consulService}
               upstream ${cfg.nginxUpstreamName} {
                 {{ range $i, $e := service "${cfg.consulService}~_agent" -}}
                 server {{ .Address }}:{{ .Port }}{{ if ne $i 0 }} backup{{ end }};
-                {{ end }}
+                {{end}}
               }
-              {{ else }}
-              # upstream ${cfg.nginxUpstreamName} (${cfg.consulService}): no servers available
-              {{ end }}
             '') consulServiceWays;
           in pkgs.writeText "ways-upstreams.ctmpl" (lib.concatStringsSep "\n" (lib.unique upstreams));
           destination = "/run/consul-template/nginx-ways-upstreams.conf";

lib/nginx.nix

@@ -36,8 +36,7 @@
 
         proxyGhost = scheme: target: basic // {
           locations."/".extraConfig = ''
-            set $nix_proxy_ghost_target "${scheme}://${target}";
+            proxy_pass ${scheme}://${target};
-            proxy_pass $nix_proxy_ghost_target;
             proxy_set_header Host ${target};
             proxy_set_header Referer ${scheme}://${target};
             proxy_cookie_domain ${target} domain.invalid;