From 2f7e3a9f0ce314d03e0e6371a0cbf3085ce83cd5 Mon Sep 17 00:00:00 2001
From: Robin Raymond <robin@robinraymond.de>
Date: Sat, 23 Sep 2017 09:56:09 +0200
Subject: [PATCH] initial acme support; needs testing

---
 default.nix             |  5 ++---
 mail-server/common.nix  |  8 ++++++--
 mail-server/nginx.nix   | 43 +++++++++++++++++++++++++++++++++++++++++
 mail-server/postfix.nix |  6 +++---
 mail-server/systemd.nix |  1 +
 5 files changed, 55 insertions(+), 8 deletions(-)
 create mode 100644 mail-server/nginx.nix

diff --git a/default.nix b/default.nix
index 74c47c2..2a36ae7 100644
--- a/default.nix
+++ b/default.nix
@@ -138,7 +138,7 @@ in
     };
 
     certificateScheme = mkOption {
-      type = types.enum [ 1 2 ];
+      type = types.enum [ 1 2 3 ];
       default = 2;
       description = ''
         Certificate Files. There are three options for these.
@@ -149,8 +149,6 @@ in
            this implies that a stripped down webserver has to be started. This also
            implies that the FQDN must be set as an `A` record to point to the IP of
            the server. TODO: Explain more details
-
-        TODO: Only certificate scheme 1) and 2) work as of yet.
       '';
     };
 
@@ -256,5 +254,6 @@ in
     ./mail-server/dovecot.nix
     ./mail-server/postfix.nix
     ./mail-server/rmilter.nix
+    ./mail-server/nginx.nix
   ];
 }
diff --git a/mail-server/common.nix b/mail-server/common.nix
index f32d898..0d15ce7 100644
--- a/mail-server/common.nix
+++ b/mail-server/common.nix
@@ -25,12 +25,16 @@ in
              then cfg.certificateFile
              else if cfg.certificateScheme == 2
                   then "${cfg.certificateDirectory}/cert-${cfg.domain}.pem"
-                  else "";
+                  else if cfg.certificateScheme == 3
+                       then "/var/lib/acme/acme-challenge/${cfg.hostPrefix}.${cfg.domain}/fullchain.pem"
+                       else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
 
   # key :: PATH
   keyPath = if cfg.certificateScheme == 1
         then cfg.keyFile
         else if cfg.certificateScheme == 2
              then "${cfg.certificateDirectory}/key-${cfg.domain}.pem"
-             else "";
+              else if cfg.certificateScheme == 3
+                   then "/var/lib/acme/acme-challenge/${cfg.hostPrefix}.${cfg.domain}/privkey.pem"
+                   else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
 }
diff --git a/mail-server/nginx.nix b/mail-server/nginx.nix
new file mode 100644
index 0000000..15bb596
--- /dev/null
+++ b/mail-server/nginx.nix
@@ -0,0 +1,43 @@
+#  nixos-mailserver: a simple mail server
+#  Copyright (C) 2016-2017  Robin Raymond
+#
+#  This program is free software: you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation, either version 3 of the License, or
+#  (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program. If not, see <http://www.gnu.org/licenses/>
+
+
+{ config, pkgs, lib, ... }:
+
+with (import ./common.nix { inherit config; });
+
+let
+  cfg = config.mailserver;
+in
+{
+  config = with cfg; lib.mkIf (certificateScheme == 3) {
+
+    services.nginx = {
+      enable = true;
+      virtualHosts = { 
+        domain = {
+            serverName = "${hostPrefix}.${domain}";
+            forceSSL = true;
+            enableACME = true;
+            locations."/" = {
+              root = "/var/www";
+            };
+            acmeRoot = "/var/lib/acme/acme-challenge";
+        };
+      };
+    };
+  };
+}
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index ebcfb0c..fedb53c 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -49,9 +49,9 @@ let
   vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" (vaccounts_identity ++ valiases_postfix));
   
   submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ''
-     ### Removes sensitive headers from mails handed in via the submission port.
-     ### See https://thomas-leister.de/mailserver-debian-stretch/
-     ### Uses "pcre" style regex.
+     # Removes sensitive headers from mails handed in via the submission port.
+     # See https://thomas-leister.de/mailserver-debian-stretch/
+     # Uses "pcre" style regex.
 
      /^Received:/            IGNORE
      /^X-Originating-IP:/    IGNORE
diff --git a/mail-server/systemd.nix b/mail-server/systemd.nix
index 0c82b16..48f5a5e 100644
--- a/mail-server/systemd.nix
+++ b/mail-server/systemd.nix
@@ -63,6 +63,7 @@ in
 
     # Create certificates and maildir folder
     systemd.services.postfix = {
+      after = (if (certificateScheme == 3) then [ "nginx.service" ] else []);
       preStart = 
       ''
       # Create mail directory and set permissions. See