From 46a0829aa82c5a56e6b6c24aa8d8046c52a716a4 Mon Sep 17 00:00:00 2001 From: Matthew Leach Date: Wed, 28 Jun 2023 20:42:37 +0100 Subject: [PATCH] acme: Add new option acmeCertificateName Allow the user to specify the name of the ACME configuration that the mailserver should use. This allows users that request certificates that aren't the FQDN of the mailserver, for example a wildcard certificate. --- default.nix | 13 +++++++++++++ mail-server/assertions.nix | 5 +++++ mail-server/common.nix | 4 ++-- mail-server/nginx.nix | 4 ++-- 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/default.nix b/default.nix index 3abdfbc..6bd499c 100644 --- a/default.nix +++ b/default.nix @@ -675,6 +675,19 @@ in ''; }; + acmeCertificateName = mkOption { + type = types.str; + default = cfg.fqdn; + example = "example.com"; + description = '' + ({option}`mailserver.certificateScheme` == `acme`) + + When the `acme` `certificateScheme` is selected, you can use this option + to override the default certificate name. This is useful if you've + generated a wildcard certificate, for example. + ''; + }; + enableImap = mkOption { type = types.bool; default = true; diff --git a/mail-server/assertions.nix b/mail-server/assertions.nix index d2c44ea..2b4b262 100644 --- a/mail-server/assertions.nix +++ b/mail-server/assertions.nix @@ -13,5 +13,10 @@ assertion = config.mailserver.forwards == {}; message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards"; } + ] ++ lib.optionals (config.mailserver.certificateScheme != "acme") [ + { + assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn; + message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName"; + } ]; } diff --git a/mail-server/common.nix b/mail-server/common.nix index edea7f0..4e301c5 100644 --- a/mail-server/common.nix +++ b/mail-server/common.nix @@ -26,7 +26,7 @@ in else if cfg.certificateScheme == "selfsigned" then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem" else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx" - then "${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem" + then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/fullchain.pem" else throw "unknown certificate scheme"; # key :: PATH @@ -35,7 +35,7 @@ in else if cfg.certificateScheme == "selfsigned" then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem" else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx" - then "${config.security.acme.certs.${cfg.fqdn}.directory}/key.pem" + then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/key.pem" else throw "unknown certificate scheme"; passwordFiles = let diff --git a/mail-server/nginx.nix b/mail-server/nginx.nix index 4f0cb1a..a037f56 100644 --- a/mail-server/nginx.nix +++ b/mail-server/nginx.nix @@ -17,7 +17,7 @@ { config, pkgs, lib, ... }: -with (import ./common.nix { inherit config; }); +with (import ./common.nix { inherit config lib pkgs; }); let cfg = config.mailserver; @@ -34,7 +34,7 @@ in }; }; - security.acme.certs."${cfg.fqdn}".reloadServices = [ + security.acme.certs."${cfg.acmeCertificateName}".reloadServices = [ "postfix.service" "dovecot2.service" ];