nixos: Working ACME certs

nixos/modules/firewall.nix

@@ -128,11 +128,10 @@ in
 
               table inet nat {
                 chain prerouting {
-                  type nat hook prerouting priority 0;
+                  type nat hook prerouting priority dstnat;
                 }
-
                 chain postrouting {
-                  type nat hook postrouting priority 100;
+                  type nat hook postrouting priority srcnat;
                 }
               }
 

nixos/modules/pdns.nix

@@ -156,6 +156,9 @@ in
           mkdir -p /var/lib/pdns/bind-zones
           loadZones start
         '';
+        postStart = ''
+          chmod -R g+w /run/pdns /var/lib/pdns
+        '';
 
         # pdns reloads existing zones, so the only trigger will be if the zone files themselves change. If any new zones
         # are added or removed, named.conf will change, in turn changing the overall pdns settings and causing pdns to

nixos/modules/tmproot.nix

@@ -225,6 +225,16 @@ in
         my.tmproot.persistence.config.files =
           concatMap (k: [ k.path "${k.path}.pub" ]) config.services.openssh.hostKeys;
       })
+      (mkIf (config.security.acme.certs != { }) {
+        my.tmproot.persistence.config.directories = [
+          {
+            directory = "/var/lib/acme";
+            mode = "0750";
+            user = "acme";
+            group = "acme";
+          }
+        ];
+      })
       (mkIf config.my.build.isDevVM {
         fileSystems = mkVMOverride {
           # Hijack the "root" device for persistence in the VM