acme: Add new option acmeCertificateName
Allow the user to specify the name of the ACME configuration that the mailserver should use. This allows users that request certificates that aren't the FQDN of the mailserver, for example a wildcard certificate.
This commit is contained in:
parent
41059fc548
commit
46a0829aa8
13
default.nix
13
default.nix
|
@ -675,6 +675,19 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
acmeCertificateName = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = cfg.fqdn;
|
||||||
|
example = "example.com";
|
||||||
|
description = ''
|
||||||
|
({option}`mailserver.certificateScheme` == `acme`)
|
||||||
|
|
||||||
|
When the `acme` `certificateScheme` is selected, you can use this option
|
||||||
|
to override the default certificate name. This is useful if you've
|
||||||
|
generated a wildcard certificate, for example.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
enableImap = mkOption {
|
enableImap = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = true;
|
default = true;
|
||||||
|
|
|
@ -13,5 +13,10 @@
|
||||||
assertion = config.mailserver.forwards == {};
|
assertion = config.mailserver.forwards == {};
|
||||||
message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards";
|
message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards";
|
||||||
}
|
}
|
||||||
|
] ++ lib.optionals (config.mailserver.certificateScheme != "acme") [
|
||||||
|
{
|
||||||
|
assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
|
||||||
|
message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -26,7 +26,7 @@ in
|
||||||
else if cfg.certificateScheme == "selfsigned"
|
else if cfg.certificateScheme == "selfsigned"
|
||||||
then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
|
then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
|
||||||
else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
|
else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
|
||||||
then "${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem"
|
then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/fullchain.pem"
|
||||||
else throw "unknown certificate scheme";
|
else throw "unknown certificate scheme";
|
||||||
|
|
||||||
# key :: PATH
|
# key :: PATH
|
||||||
|
@ -35,7 +35,7 @@ in
|
||||||
else if cfg.certificateScheme == "selfsigned"
|
else if cfg.certificateScheme == "selfsigned"
|
||||||
then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
|
then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
|
||||||
else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
|
else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
|
||||||
then "${config.security.acme.certs.${cfg.fqdn}.directory}/key.pem"
|
then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/key.pem"
|
||||||
else throw "unknown certificate scheme";
|
else throw "unknown certificate scheme";
|
||||||
|
|
||||||
passwordFiles = let
|
passwordFiles = let
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
|
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
with (import ./common.nix { inherit config; });
|
with (import ./common.nix { inherit config lib pkgs; });
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.mailserver;
|
cfg = config.mailserver;
|
||||||
|
@ -34,7 +34,7 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
security.acme.certs."${cfg.fqdn}".reloadServices = [
|
security.acme.certs."${cfg.acmeCertificateName}".reloadServices = [
|
||||||
"postfix.service"
|
"postfix.service"
|
||||||
"dovecot2.service"
|
"dovecot2.service"
|
||||||
];
|
];
|
||||||
|
|
Loading…
Reference in New Issue