I’m posting this in case it helps someone else, since I found the solution inside of nixpkgs PR discussion only.
Originally my config just had a line systemd.services.nginx.serviceConfig.SupplementaryGroup = [ "acme" ];
to grant nginx access to my acme certs, but after a recent update it started triggering the following error:
error: attribute 'User' missing
at /nix/store/n1g84klfb0h3bpwyvc59lcy5ca58h36w-source/nixos/modules/security/acme/mk-cert-ownership-assertion.nix:19:49:
18| message = "Certificate ${cert.domain} (group=${cert.group}) must be readable by service(s) ${
19| catSep ", " (map (svc: "${svc.name} (user=${svc.serviceConfig.User} groups=${catSep " " (svcGroups svc)})") services)
| ^
20| }";
After some digging I came across a PR from Nov 8, 2024. In the discussion someone mentions they ran into this problem and suggests a solution to set the group using something along the lines of the following instead:
security.acme.certs."domain".group = config.services.nginx.group;
That seemed to work for me. Hope that helps.