In reply to @m1cr0man:m1cr0man.com
Winter I was thinking that it might be possible to add an assertion in nginx/httpd/caddy to check acme cert access too, which would at least cover your concern about it unexpectedly failing. It would be complex though, idk if nix does anything in the config tree to merge users.users. .extraGroups and users.groups. .extraUsers that I could reference

In reply to @m1cr0man:m1cr0man.com
V curious to know what the answer is. Acme isn't the only module that is a dependency in other modules (namely I'm thinking of all the services that can auto configure virtual hosts). There doesn't seem to be a set place for these sort of helpers right now

In reply to @winterqt:nixos.dev
m1cr0man: I promise I haven't forgotten about the assertions, it's just been a long week and want to do this the right way. If not sometime this week, I'll get a PR open this weekend. My apologies!

m1cr0man: Sorry about that — I know we did have that conversation so I have no clue how that slipped my mind.

However, this is now a bit more complicated, and I’m not really sure what the best way to proceed is. Ideally, the assertion would handle both the case where only a single service is using the certificate (where the original assertion would work), and when multiple services are using it (this would check the members of the acme group). But I’m not really sure how to make it handle both since there’s no way we can track the number of usages of a certificate in a configuration. Do you have any ideas?

So my thought was that you could simply check that a service' user is in the assigned group, as per that feature I was questioning before. So I think this would work (OR'd with the current assertion)

builtins.any (v: v == config.services.nginx.user) config.users.groups.${config.security.acme.certs.${certName}.group}.members