fix: need attrset in config.lib, fix typo in nftables rule

hosts/ward/default.nix

@@ -116,7 +116,7 @@ in {
       };
       virtualHosts.${auth.domain} = {
         forceSSL = true;
-        useACMEHost = config.lib.matchingWildcardCert auth.domain;
+        useACMEHost = config.lib.extra.matchingWildcardCert auth.domain;
         locations."/".proxyPass = "https://kanidm";
         # Allow using self-signed certs to satisfy kanidm's requirement
         # for TLS connections. (This is over wireguard anyway)

modules/extra.nix

@@ -30,7 +30,7 @@ in {
   };
 
   config = {
-    lib = {
+    lib.extra = {
       # For a given domain, this searches for a matching wildcard acme domain that
       # would include the given domain. If no such domain is defined in
       # extra.acme.wildcardDomains, an assertion is triggered.

modules/microvms.nix

@@ -198,7 +198,7 @@
               then "${config.networking.hostName}.local"
               else config.networking.fqdn;
             inherit (cfg.networking.wireguard) port;
-            openFirewallRules = ["untrusted"];
+            openFirewallRules = ["untrusted-to-local"];
           };
           linkName = "local-vms";
           ipv4 = net.cidr.host vmCfg.id cfg.networking.wireguard.cidrv4;