nixos/acme: add s3Bucket option (#262806)

  certToConfig = cert: data: let

    acmeServer = data.server;

    useDns = data.dnsProvider != null;

    useDnsOrS3 = useDns || data.s3Bucket != null;

    destPath = "/var/lib/acme/${cert}";

    selfsignedDeps = optionals (cfg.preliminarySelfsigned) [ "acme-selfsigned-${cert}.service" ];

      [ "--dns" data.dnsProvider ]

      ++ optionals (!data.dnsPropagationCheck) [ "--dns.disable-cp" ]

      ++ optionals (data.dnsResolver != null) [ "--dns.resolvers" data.dnsResolver ]

    ) else if data.listenHTTP != null then [ "--http" "--http.port" data.listenHTTP ]

    ) else if data.s3Bucket != null then [ "--http" "--http.s3-bucket" data.s3Bucket ]

    else if data.listenHTTP != null then [ "--http" "--http.port" data.listenHTTP ]

    else [ "--http" "--http.webroot" data.webroot ];

    commonOpts = [

          "/var/lib/acme/.lego/${cert}/${certDir}:/tmp/certificates"

        ];

        # Only try loading the environmentFile if the dns challenge is enabled

        EnvironmentFile = mkIf useDns data.environmentFile;

        EnvironmentFile = mkIf useDnsOrS3 data.environmentFile;

        Environment = mkIf useDns

        Environment = mkIf useDnsOrS3

          (mapAttrsToList (k: v: ''"${k}=%d/${k}"'') data.credentialFiles);

        LoadCredential = mkIf useDns

        LoadCredential = mkIf useDnsOrS3

          (mapAttrsToList (k: v: "${k}:${v}") data.credentialFiles);

        # Run as root (Prefixed with +)

        '';

      };

      s3Bucket = mkOption {

        type = types.nullOr types.str;

        default = null;

        example = "acme";

        description = lib.mdDoc ''

          S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket.

        '';

      };

      inheritDefaults = mkOption {

        default = true;

        example = true;

          '';

        }

        {

          assertion = data.dnsProvider == null || data.webroot == null;

          message = ''

            Options `security.acme.certs.${cert}.dnsProvider` and

            `security.acme.certs.${cert}.webroot` are mutually exclusive.

          '';

        }

        {

          assertion = data.webroot == null || data.listenHTTP == null;

          message = ''

            Options `security.acme.certs.${cert}.webroot` and

            `security.acme.certs.${cert}.listenHTTP` are mutually exclusive.

          '';

        }

        {

          assertion = data.listenHTTP == null || data.dnsProvider == null;

          message = ''

            Options `security.acme.certs.${cert}.listenHTTP` and

            `security.acme.certs.${cert}.dnsProvider` are mutually exclusive.

          '';

        }

        {

          assertion = data.dnsProvider != null || data.webroot != null || data.listenHTTP != null;

          assertion = lib.length (lib.filter (x: x != null) [

            data.dnsProvider

            data.webroot

            data.listenHTTP

            data.s3Bucket

          ]) != 1;

          message = ''

            One of `security.acme.certs.${cert}.dnsProvider`,

            `security.acme.certs.${cert}.webroot`, or

            `security.acme.certs.${cert}.listenHTTP` must be provided.

            Exactly one of the options

            `security.acme.certs.${cert}.dnsProvider`,

            `security.acme.certs.${cert}.webroot`,

            `security.acme.certs.${cert}.listenHTTP` and

            `security.acme.certs.${cert}.s3Bucket`

            is required.

          '';

        }

        {