From eb9133ade5e69875f01adf0ba1a540332ce30e14 Mon Sep 17 00:00:00 2001
From: Linnnus <linnnus@users.noreply.github.com>
Date: Sat, 17 May 2025 17:15:22 +0200
Subject: ahmed: Fix dependency ordering between ACME and NGINX

---
 hosts/ahmed/local-dns/certificates.nix | 25 +++++++++++++++++++++++++
 hosts/ahmed/nginx/default.nix          |  1 +
 2 files changed, 26 insertions(+)

diff --git a/hosts/ahmed/local-dns/certificates.nix b/hosts/ahmed/local-dns/certificates.nix
index 25784c1..4d74224 100644
--- a/hosts/ahmed/local-dns/certificates.nix
+++ b/hosts/ahmed/local-dns/certificates.nix
@@ -24,6 +24,31 @@
       dnsPropagationCheck = true;
       domain = "*.${config.linus.local-dns.domain}";
 
+      # To avoid the following cyclical ordering, we want this certificate to
+      # be under a different account, as defined by the account hash (which
+      # includes email).
+      #
+      # 1. `nginx.service` is ordered before `acme-rumpenettet.linus.onl.service`
+      #    because NGINX hard crashes when certificates are missing.
+      # 2. `acme-rumpenettet.linus.onl.service` ordered before
+      #    `acme-account-….target` because it is part of the account and not the
+      #    chosen group leader.
+      # 3. `acme-account-….target` is ordered after
+      #    `acme-git.linus.onl.service` because it is the group leader.
+      # 4. `nginx.service` is ordered before `acme-*.service` because it has to
+      #    be online for the challenge to work.
+      #
+      # So the issue ony arises because we have a DNS-01 certificate and a
+      # HTTP-01 certificate linked (ordering whise) by the account target. And
+      # those different types of certificates are ordered before/after NGINX
+      # respectively.
+      #
+      # We break the cycle by making the DNS certificate part of a different
+      # account. In the future, a more elegant solution might be to use the
+      # same selfsigned trick that NGINX already uses for certificates with
+      # HTTP-01 validation.
+      email = "linusvejlo+${config.networking.hostName}-acme-dns@gmail.com";
+
       group = config.services.nginx.group;
       reloadServices = ["nginx"];
     };
diff --git a/hosts/ahmed/nginx/default.nix b/hosts/ahmed/nginx/default.nix
index 55e6925..ce86e81 100644
--- a/hosts/ahmed/nginx/default.nix
+++ b/hosts/ahmed/nginx/default.nix
@@ -10,6 +10,7 @@
   # Configure ACME. This is used by various HTTP services through the NGINX virtual hosts.
   security.acme = {
     acceptTerms = true;
+    # NOTE: The certificate in `local-dns/certficates.nix` uses a different email!
     defaults.email = "linusvejlo+${config.networking.hostName}-acme@gmail.com";
   };
 
-- 
cgit v1.2.3