Only enable acme module on servers where certificates are configured

flake.lock

@@ -12,11 +12,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1707830867,
+        "lastModified": 1712079060,
-        "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
+        "narHash": "sha256-/JdiT9t+zzjChc5qQiF+jhrVhRt8figYH29rZO7pFe4=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
+        "rev": "1381a759b205dff7a6818733118d02253340fd5e",
         "type": "github"
       },
       "original": {
@@ -53,11 +53,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1711915616,
+        "lastModified": 1712266167,
-        "narHash": "sha256-co6LoFA+j6BZEeJNSR8nZ4oOort5qYPskjrDHBaJgmo=",
+        "narHash": "sha256-gr2CBgT8t+utDqzWSp2vSjX/c39Q0BNtrWE6/cDhhEE=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "820be197ccf3adaad9a8856ef255c13b6cc561a6",
+        "rev": "0c73c1b8da28a24c4fe842ced3f2548d5828b550",
         "type": "github"
       },
       "original": {
@@ -120,11 +120,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1711668574,
+        "lastModified": 1712168706,
-        "narHash": "sha256-u1dfs0ASQIEr1icTVrsKwg2xToIpn7ZXxW3RHfHxshg=",
+        "narHash": "sha256-XP24tOobf6GGElMd0ux90FEBalUtw6NkBSVh/RlA6ik=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "219951b495fc2eac67b1456824cc1ec1fd2ee659",
+        "rev": "1487bdea619e4a7a53a4590c475deabb5a9d1bfb",
         "type": "github"
       },
       "original": {
@@ -136,11 +136,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1711703276,
+        "lastModified": 1712163089,
-        "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
+        "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
+        "rev": "fd281bd6b7d3e32ddfa399853946f782553163b5",
         "type": "github"
       },
       "original": {
@@ -165,11 +165,11 @@
     },
     "secrets": {
       "locked": {
-        "lastModified": 1711905032,
+        "lastModified": 1712273928,
-        "narHash": "sha256-+hLmLxA2gejnokzOwGuKg9Q0EOHLdWJLhXrIRpbMDjA=",
+        "narHash": "sha256-+IXhsd5kJP5R5RxqEbaAI/s3QznTH4xUEL4+1Ho9jvA=",
         "ref": "refs/heads/master",
-        "rev": "2f6734ceecf871e24d90e545e1fcadbcb50b3f8b",
+        "rev": "67f2b19f91b48e008b0c956fd9e06522b609767d",
-        "revCount": 12,
+        "revCount": 13,
         "type": "git",
         "url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
       },

modules/server/acme.nix

@@ -1,8 +1,12 @@
 {
   config,
+  lib,
   secrets,
   ...
-}: {
+}:
+# Only enable module if certificates are configured so we don't try to decrypt
+# acme-lego-environment-file.age on servers that aren't allowed to.
+lib.mkIf (config.security.acme.certs != {}) {
   # Instead of managing certificates in each individual service, NixOS supports
   # automatic certificate retrieval and renewal using
   # `security.acme.certs.<name>` through the ACME protocol.