| commit | 6fd5ce5afc5e280e883254c5eeadc0e269dbaf8b | [log] [tgz] |
|---|---|---|
| author | Skyler Grey <minion@clicks.codes> | Thu Apr 18 10:32:43 2024 +0000 |
| committer | Skyler Grey <minion@clicks.codes> | Sat Apr 20 00:23:57 2024 +0000 |
| tree | c7ffd20a5e3c8a1efb06eb8d5c3ba17741786de8 | |
| parent | 6b6c3c600b91807d6ca7b2a940e4fa0ff3ee9c60 [diff] |
Fix SSL for mailcow Previously we were still copying all certificates, including ones that were not used for mailcow, over to mailcow for SNI purposes. This appeared to confuse mailcow and cause it to provide an old certificate, which expired causing us to fail SSL checks. Change-Id: Ifceda7e8161971db3eb517842663803b1a34b13f Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/627 Reviewed-by: Samuel Shuert <coded@clicks.codes> Tested-by: Skyler Grey <minion@clicks.codes>
To deploy these files to our server we use deploy-rs. If you've got a flakes-enabled nix installed on your system you can run
nix run github:serokell/deploy-rs
You can also install deploy-rs to your profile, at which point you'll be able to run
deploy
Secrets are stored in SOPS and deployed using scalpel.
If you have a service which needs to store secrets in its config file, please set systemd reloadTriggers and restartTriggers to automatically reload/restart the service whenever the configuration changes.
It's notable that changing the secrets will not trigger a reload/restart of the service. If you want to update the secrets without updating the rest of the configuration you currently need to manually restart the service. It's possible that this could be solved by using systemd paths to watch the files (see https://superuser.com/questions/1171751/restart-systemd-service-automatically-whenever-a-directory-changes-any-file-ins) but this is not a priority