nixos/acme: Add a human readable error on run failure

Closes NixOS/nixpkgs#108237

When a user first adds an ACME cert to their configuration,
it's likely to fail to renew due to DNS misconfig. This is
non-fatal for other services since selfsigned certs are
(usually) put in place to let dependant services start.
Tell the user about this in the logs, and exit 2 for
differentiation purposes.

1 files changed, 7 insertions, 2 deletions

diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index dcea137b52e..be4762da8d1 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -391,8 +391,13 @@ let
           fi
 
         # Otherwise do a full run
-        else
-          lego ${runOpts}
+        elif ! lego ${runOpts}; then
+          # Produce a nice error for those doing their first nixos-rebuild with these certs
+          echo Failed to fetch certificates. \
+            This may mean your DNS records are set up incorrectly. \
+            ${optionalString (cfg.preliminarySelfsigned) "Selfsigned certs are in place and dependant services will still start."}
+          # Exit 2 so that users can potentially amend SuccessExitStatus to ignore this error.
+          exit 2
         fi
 
         mv domainhash.txt certificates/