From 197bf404014b3bf33932ef8b7941ae0e26ea52a3 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Wed, 21 Jan 2026 22:09:11 +0100
Subject: hotdog: cherry-pick nginx recommendedTlsSettings

---
 krebs/1systems/hotdog/config.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index 91071ec85..655192077 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -5,6 +5,17 @@
     ../../../krebs
     ../../../krebs/2configs
     ../../../krebs/2configs/nginx.nix
+    {
+      # Cherry-pick services.nginx.recommendedTlsSettings to fix:
+      # nginx: [emerg] "ssl_conf_command" directive is not supported on this platform
+      services.nginx.recommendedTlsSettings = lib.mkForce false;
+      services.nginx.appendHttpConfig = ''
+        ssl_session_timeout 1d;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_tickets off;
+        ssl_prefer_server_ciphers off;
+      '';
+    }
 
     ../../../krebs/2configs/binary-cache/nixos.nix
     ../../../krebs/2configs/ircd.nix
-- 
cgit v1.2.3