Only enable acme module on servers where certificates are configured

2024-04-05 01:41:44 +02:00 · 2024-04-05 01:41:44 +02:00 · e7d8d9904a
parent 557cdc8cb4
commit e7d8d9904a
2 changed files with 21 additions and 17 deletions
--- a/flake.lock
+++ b/flake.lock
@ -12,11 +12,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1707830867,
-        "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
+        "lastModified": 1712079060,
+        "narHash": "sha256-/JdiT9t+zzjChc5qQiF+jhrVhRt8figYH29rZO7pFe4=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
+        "rev": "1381a759b205dff7a6818733118d02253340fd5e",
        "type": "github"
      },
      "original": {
@ -53,11 +53,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1711915616,
-        "narHash": "sha256-co6LoFA+j6BZEeJNSR8nZ4oOort5qYPskjrDHBaJgmo=",
+        "lastModified": 1712266167,
+        "narHash": "sha256-gr2CBgT8t+utDqzWSp2vSjX/c39Q0BNtrWE6/cDhhEE=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "820be197ccf3adaad9a8856ef255c13b6cc561a6",
+        "rev": "0c73c1b8da28a24c4fe842ced3f2548d5828b550",
        "type": "github"
      },
      "original": {
@ -120,11 +120,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1711668574,
-        "narHash": "sha256-u1dfs0ASQIEr1icTVrsKwg2xToIpn7ZXxW3RHfHxshg=",
+        "lastModified": 1712168706,
+        "narHash": "sha256-XP24tOobf6GGElMd0ux90FEBalUtw6NkBSVh/RlA6ik=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "219951b495fc2eac67b1456824cc1ec1fd2ee659",
+        "rev": "1487bdea619e4a7a53a4590c475deabb5a9d1bfb",
        "type": "github"
      },
      "original": {
@ -136,11 +136,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1711703276,
-        "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
+        "lastModified": 1712163089,
+        "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
+        "rev": "fd281bd6b7d3e32ddfa399853946f782553163b5",
        "type": "github"
      },
      "original": {
@ -165,11 +165,11 @@
    },
    "secrets": {
      "locked": {
-        "lastModified": 1711905032,
-        "narHash": "sha256-+hLmLxA2gejnokzOwGuKg9Q0EOHLdWJLhXrIRpbMDjA=",
+        "lastModified": 1712273928,
+        "narHash": "sha256-+IXhsd5kJP5R5RxqEbaAI/s3QznTH4xUEL4+1Ho9jvA=",
        "ref": "refs/heads/master",
-        "rev": "2f6734ceecf871e24d90e545e1fcadbcb50b3f8b",
-        "revCount": 12,
+        "rev": "67f2b19f91b48e008b0c956fd9e06522b609767d",
+        "revCount": 13,
        "type": "git",
        "url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
      },
--- a/modules/server/acme.nix
+++ b/modules/server/acme.nix
@ -1,8 +1,12 @@
 {
  config,
+  lib,
  secrets,
  ...
-}: {
+}:
+# Only enable module if certificates are configured so we don't try to decrypt
+# acme-lego-environment-file.age on servers that aren't allowed to.
+lib.mkIf (config.security.acme.certs != {}) {
  # Instead of managing certificates in each individual service, NixOS supports
  # automatic certificate retrieval and renewal using
  # `security.acme.certs.<name>` through the ACME protocol.