added acme to impermanence

configurations/nixos/defiant/services.nix

@@ -135,11 +135,6 @@ in {
       };
     };
 
-    security.acme = {
-      acceptTerms = true;
-      defaults.email = "jan-leila@protonmail.com";
-    };
-
     networking.firewall.allowedTCPPorts =
       [
         httpPort

modules/nixos-modules/server/reverse_proxy.nix

@@ -2,7 +2,9 @@
   lib,
   config,
   ...
-}: {
+}: let
+  dataDir = "/var/lib/acme";
+in {
   options.host.reverse_proxy = {
     enable = lib.mkEnableOption "turn on the reverse proxy";
     hostname = lib.mkOption {
@@ -32,15 +34,15 @@
     };
   };
 
-  # TODO: impermanence for ACME keys
+  config = lib.mkIf config.host.reverse_proxy.enable (lib.mkMerge [
-  config = {
+    {
       security.acme = lib.mkIf config.host.reverse_proxy.enableACME {
         acceptTerms = true;
         defaults.email = "jan-leila@protonmail.com";
       };
 
       services.nginx = {
-      enable = config.host.reverse_proxy.enable;
+        enable = true;
         virtualHosts = lib.attrsets.mapAttrs' (name: value:
           lib.attrsets.nameValuePair "${name}.${config.host.reverse_proxy.hostname}" {
             forceSSL = config.host.reverse_proxy.forceSSL;
@@ -52,5 +54,26 @@
           })
         config.host.reverse_proxy.subdomains;
       };
-  };
+    }
+    (lib.mkIf config.host.impermanence.enable {
+      # TODO: figure out how to write an assertion for this
+      # assertions = [
+      #   {
+      #     assertion = security.acme.certs.<name>.directory == dataDir;
+      #     message = "postgres data directory does not match persistence";
+      #   }
+      # ];
+      environment.persistence."/persist/system/root" = {
+        enable = true;
+        hideMounts = true;
+        directories = [
+          {
+            directory = dataDir;
+            user = "acme";
+            group = "acme";
+          }
+        ];
+      };
+    })
+  ]);
 }