acme: Don't attempt to get certs if the domain is wrong

modules/default.nix

@@ -1,8 +1,23 @@
-{lib, ...}: let
-  inherit (lib) mkOption types;
-in {
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
   options.services.nginx.domain = lib.mkOption {
     type = lib.types.str;
     description = "The base domain name to append to virtual domain names";
   };
+
+  config = {
+    # Don't attempt to run acme if the domain name is not tlater.net
+    systemd.services = let
+      confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
+    in
+      lib.mapAttrs' (cert: _:
+        lib.nameValuePair "acme-${cert}" {
+          serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
+        })
+      config.security.acme.certs;
+  };
 }