From e37aab2130e4a42660bef203592069cb05d3fe3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Janne=20He=C3=9F?= <janne@hess.ooo>
Date: Fri, 26 Nov 2021 13:58:40 +0100
Subject: [PATCH] nixos/acme: Allow disabling bash tracing

This is horrible if you want to debug failures that happened during
system switches but your 30-ish acme clients spam the log with the same
messages over and over again.
---
 nixos/modules/security/acme.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 2815e2593b23..12ebc746f520 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -325,7 +325,8 @@ let
 
       # Working directory will be /tmp
       script = ''
-        set -euxo pipefail
+        ${optionalString data.enableDebugLogs "set -x"}
+        set -euo pipefail
 
         # This reimplements the expiration date check, but without querying
         # the acme server first. By doing this offline, we avoid errors
@@ -438,6 +439,8 @@ let
         default = "_mkMergedOptionModule";
       };
 
+      enableDebugLogs = mkEnableOption "debug logging for this certificate" // { default = cfg.enableDebugLogs; };
+
       webroot = mkOption {
         type = types.nullOr types.str;
         default = null;
@@ -616,6 +619,8 @@ in {
   options = {
     security.acme = {
 
+      enableDebugLogs = mkEnableOption "debug logging for all certificates by default" // { default = true; };
+
       validMinDays = mkOption {
         type = types.int;
         default = 30;