nixos/acme: Add a human readable error on run failure

Closes NixOS/nixpkgs#108237 When a user first adds an ACME cert to their configuration, it's likely to fail to renew due to DNS misconfig. This is non-fatal for other services since selfsigned certs are (usually) put in place to let dependant services start. Tell the user about this in the logs, and exit 2 for differentiation purposes.
2021-11-26 21:57:31 +00:00 · 2021-11-26 21:57:31 +00:00 · 87403a0b07
parent a88d846b91
commit 87403a0b07
1 changed files with 7 additions and 2 deletions
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@ -391,8 +391,13 @@ let
          fi

        # Otherwise do a full run
-        else
-          lego ${runOpts}
+        elif ! lego ${runOpts}; then
+          # Produce a nice error for those doing their first nixos-rebuild with these certs
+          echo Failed to fetch certificates. \
+            This may mean your DNS records are set up incorrectly. \
+            ${optionalString (cfg.preliminarySelfsigned) "Selfsigned certs are in place and dependant services will still start."}
+          # Exit 2 so that users can potentially amend SuccessExitStatus to ignore this error.
+          exit 2
        fi

        mv domainhash.txt certificates/