hotdog: cherry-pick nginx recommendedTlsSettings

author: tv <tv@krebsco.de> 2026-01-21 22:09:11 +0100
committer: tv <tv@krebsco.de> 2026-01-21 22:09:11 +0100
commit: 197bf404014b3bf33932ef8b7941ae0e26ea52a3 (patch)
tree: c88aa05b289a68348c3390f334fb6218209b2a17
parent: 99e91b56e30e7e747a7dfeed6c508f7c0e0b0f5a (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index 91071ec85..655192077 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -5,6 +5,17 @@
     ../../../krebs
     ../../../krebs/2configs
     ../../../krebs/2configs/nginx.nix
+    {
+      # Cherry-pick services.nginx.recommendedTlsSettings to fix:
+      # nginx: [emerg] "ssl_conf_command" directive is not supported on this platform
+      services.nginx.recommendedTlsSettings = lib.mkForce false;
+      services.nginx.appendHttpConfig = ''
+        ssl_session_timeout 1d;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_tickets off;
+        ssl_prefer_server_ciphers off;
+      '';
+    }
 
     ../../../krebs/2configs/binary-cache/nixos.nix
     ../../../krebs/2configs/ircd.nix
author	tv <tv@krebsco.de>	2026-01-21 22:09:11 +0100
committer	tv <tv@krebsco.de>	2026-01-21 22:09:11 +0100
commit	197bf404014b3bf33932ef8b7941ae0e26ea52a3 (patch)
tree	c88aa05b289a68348c3390f334fb6218209b2a17
parent	99e91b56e30e7e747a7dfeed6c508f7c0e0b0f5a (diff)