From 1c6e7ec1060953489396269e93f06235fc27dba6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sun, 3 Mar 2024 01:06:52 +0100
Subject: [PATCH] acme: Don't attempt to get certs if the domain is wrong

---
 configuration/default.nix                     |  1 -
 .../hardware-specific/linode/default.nix      |  2 ++
 configuration/hardware-specific/vm.nix        |  2 +-
 modules/default.nix                           | 21 ++++++++++++++++---
 4 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/configuration/default.nix b/configuration/default.nix
index 34b1f42..bea7539 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -137,7 +137,6 @@
     recommendedGzipSettings = true;
     recommendedProxySettings = true;
     clientMaxBodySize = "10G";
-    domain = "tlater.net";
 
     statusPage = true; # For metrics, should be accessible only from localhost
 
diff --git a/configuration/hardware-specific/linode/default.nix b/configuration/hardware-specific/linode/default.nix
index b05fade..8194ec4 100644
--- a/configuration/hardware-specific/linode/default.nix
+++ b/configuration/hardware-specific/linode/default.nix
@@ -6,6 +6,8 @@
   # Required for the lish console
   boot.kernelParams = ["console=ttyS0,19200n8"];
 
+  services.nginx.domain = "tlater.net";
+
   boot.loader = {
     # Timeout to allow lish to connect
     timeout = 10;
diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix
index 79f4b35..f17e7ee 100644
--- a/configuration/hardware-specific/vm.nix
+++ b/configuration/hardware-specific/vm.nix
@@ -7,7 +7,7 @@
   networking.hostName = "testvm";
   # Sets the base domain for nginx to localhost so that we
   # can easily test locally with the VM.
-  services.nginx.domain = lib.mkOverride 99 "localhost";
+  services.nginx.domain = "localhost";
 
   # Use the staging secrets
   sops.defaultSopsFile = lib.mkOverride 99 ../../keys/staging.yaml;
diff --git a/modules/default.nix b/modules/default.nix
index 55e356c..de1c7c2 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,8 +1,23 @@
-{lib, ...}: let
-  inherit (lib) mkOption types;
-in {
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
   options.services.nginx.domain = lib.mkOption {
     type = lib.types.str;
     description = "The base domain name to append to virtual domain names";
   };
+
+  config = {
+    # Don't attempt to run acme if the domain name is not tlater.net
+    systemd.services = let
+      confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
+    in
+      lib.mapAttrs' (cert: _:
+        lib.nameValuePair "acme-${cert}" {
+          serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
+        })
+      config.security.acme.certs;
+  };
 }