From 2f52ab637ca79d562075af2cc0f9729df40696d5 Mon Sep 17 00:00:00 2001
From: ThinkChaos <ThinkChaos@users.noreply.github.com>
Date: Sat, 9 Nov 2024 13:51:42 -0500
Subject: [PATCH] nixos/acme: fix account creation service ordering

If the chosen leader was an HTTP service, then the web server would be
both before and after the server.
---
 nixos/modules/security/acme/default.nix | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix
index 4af92d8779ef..94d1f7ae813f 100644
--- a/nixos/modules/security/acme/default.nix
+++ b/nixos/modules/security/acme/default.nix
@@ -1017,11 +1017,13 @@ in {
         # systemd clean --what=state is used to delete the account, so long as the user
         # then runs one of the cert services, there won't be any issues.
         accountTargets = lib.mapAttrs' (hash: confs: let
-          leader = "acme-${(builtins.head confs).cert}.service";
-          dependantServices = map (conf: "acme-${conf.cert}.service") (builtins.tail confs);
+          dnsConfs = builtins.filter (conf: cfg.certs.${conf.cert}.dnsProvider != null) confs;
+          leaderConf = if dnsConfs != [ ] then builtins.head dnsConfs else builtins.head confs;
+          leader = "acme-${leaderConf.cert}.service";
+          followers = map (conf: "acme-${conf.cert}.service") (builtins.filter (conf: conf != leaderConf) confs);
         in lib.nameValuePair "acme-account-${hash}" {
-          requiredBy = dependantServices;
-          before = dependantServices;
+          requiredBy = followers;
+          before = followers;
           requires = [ leader ];
           after = [ leader ];
         }) (lib.groupBy (conf: conf.accountHash) (lib.attrValues certConfigs));