acme: Don't attempt to get certs if the domain is wrong

configuration/default.nix

@@ -137,7 +137,6 @@
     recommendedGzipSettings = true;
     recommendedProxySettings = true;
     clientMaxBodySize = "10G";
-    domain = "tlater.net";
 
     statusPage = true; # For metrics, should be accessible only from localhost
 

configuration/hardware-specific/linode/default.nix

@@ -6,6 +6,8 @@
   # Required for the lish console
   boot.kernelParams = ["console=ttyS0,19200n8"];
 
+  services.nginx.domain = "tlater.net";
+
   boot.loader = {
     # Timeout to allow lish to connect
     timeout = 10;

configuration/hardware-specific/vm.nix

@@ -7,7 +7,7 @@
   networking.hostName = "testvm";
   # Sets the base domain for nginx to localhost so that we
   # can easily test locally with the VM.
-  services.nginx.domain = lib.mkOverride 99 "localhost";
+  services.nginx.domain = "localhost";
 
   # Use the staging secrets
   sops.defaultSopsFile = lib.mkOverride 99 ../../keys/staging.yaml;

modules/default.nix

@@ -1,8 +1,23 @@
-{lib, ...}: let
-  inherit (lib) mkOption types;
-in {
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
   options.services.nginx.domain = lib.mkOption {
     type = lib.types.str;
     description = "The base domain name to append to virtual domain names";
   };
+
+  config = {
+    # Don't attempt to run acme if the domain name is not tlater.net
+    systemd.services = let
+      confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
+    in
+      lib.mapAttrs' (cert: _:
+        lib.nameValuePair "acme-${cert}" {
+          serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
+        })
+      config.security.acme.certs;
+  };
 }