From e7d8d9904abd240a179fb8cfb550861678b95b66 Mon Sep 17 00:00:00 2001 From: "Casper V. Kristensen" Date: Fri, 5 Apr 2024 01:41:44 +0200 Subject: [PATCH] Only enable acme module on servers where certificates are configured --- flake.lock | 32 ++++++++++++++++---------------- modules/server/acme.nix | 6 +++++- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/flake.lock b/flake.lock index 558aae4..2212fde 100644 --- a/flake.lock +++ b/flake.lock @@ -12,11 +12,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1707830867, - "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=", + "lastModified": 1712079060, + "narHash": "sha256-/JdiT9t+zzjChc5qQiF+jhrVhRt8figYH29rZO7pFe4=", "owner": "ryantm", "repo": "agenix", - "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6", + "rev": "1381a759b205dff7a6818733118d02253340fd5e", "type": "github" }, "original": { @@ -53,11 +53,11 @@ ] }, "locked": { - "lastModified": 1711915616, - "narHash": "sha256-co6LoFA+j6BZEeJNSR8nZ4oOort5qYPskjrDHBaJgmo=", + "lastModified": 1712266167, + "narHash": "sha256-gr2CBgT8t+utDqzWSp2vSjX/c39Q0BNtrWE6/cDhhEE=", "owner": "nix-community", "repo": "home-manager", - "rev": "820be197ccf3adaad9a8856ef255c13b6cc561a6", + "rev": "0c73c1b8da28a24c4fe842ced3f2548d5828b550", "type": "github" }, "original": { @@ -120,11 +120,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1711668574, - "narHash": "sha256-u1dfs0ASQIEr1icTVrsKwg2xToIpn7ZXxW3RHfHxshg=", + "lastModified": 1712168706, + "narHash": "sha256-XP24tOobf6GGElMd0ux90FEBalUtw6NkBSVh/RlA6ik=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "219951b495fc2eac67b1456824cc1ec1fd2ee659", + "rev": "1487bdea619e4a7a53a4590c475deabb5a9d1bfb", "type": "github" }, "original": { @@ -136,11 +136,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1711703276, - "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=", + "lastModified": 1712163089, + "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089", + "rev": "fd281bd6b7d3e32ddfa399853946f782553163b5", "type": "github" }, "original": { @@ -165,11 +165,11 @@ }, "secrets": { "locked": { - "lastModified": 1711905032, - "narHash": "sha256-+hLmLxA2gejnokzOwGuKg9Q0EOHLdWJLhXrIRpbMDjA=", + "lastModified": 1712273928, + "narHash": "sha256-+IXhsd5kJP5R5RxqEbaAI/s3QznTH4xUEL4+1Ho9jvA=", "ref": "refs/heads/master", - "rev": "2f6734ceecf871e24d90e545e1fcadbcb50b3f8b", - "revCount": 12, + "rev": "67f2b19f91b48e008b0c956fd9e06522b609767d", + "revCount": 13, "type": "git", "url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git" }, diff --git a/modules/server/acme.nix b/modules/server/acme.nix index 1814275..8b0d5a2 100644 --- a/modules/server/acme.nix +++ b/modules/server/acme.nix @@ -1,8 +1,12 @@ { config, + lib, secrets, ... -}: { +}: +# Only enable module if certificates are configured so we don't try to decrypt +# acme-lego-environment-file.age on servers that aren't allowed to. +lib.mkIf (config.security.acme.certs != {}) { # Instead of managing certificates in each individual service, NixOS supports # automatic certificate retrieval and renewal using # `security.acme.certs.` through the ACME protocol.