Merge branch 'acme-cert-name-option' into 'master'

acme: Add new option acmeCertificateName See merge request simple-nixos-mailserver/nixos-mailserver!303
2025-01-12 23:36:56 +01:00 · 2024-03-15 02:51:27 +00:00 · 2024-03-15 02:51:27 +00:00 · ed0fbae77c
commit ed0fbae77c
parent 79c8cfcd58 b610c68f92
4 changed files with 22 additions and 4 deletions
--- a/default.nix
+++ b/default.nix
@ -675,6 +675,19 @@ in
      '';
    };

+    acmeCertificateName = mkOption {
+      type = types.str;
+      default = cfg.fqdn;
+      example = "example.com";
+      description = ''
+          ({option}`mailserver.certificateScheme` == `acme`)
+
+        When the `acme` `certificateScheme` is selected, you can use this option
+        to override the default certificate name. This is useful if you've
+        generated a wildcard certificate, for example.
+      '';
+    };
+
    enableImap = mkOption {
      type = types.bool;
      default = true;
--- a/mail-server/assertions.nix
+++ b/mail-server/assertions.nix
@ -13,5 +13,10 @@
      assertion = config.mailserver.forwards == {};
      message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards";
    }
+  ] ++ lib.optionals (config.mailserver.certificateScheme != "acme") [
+    {
+      assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
+      message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
+    }
  ];
 }
--- a/mail-server/common.nix
+++ b/mail-server/common.nix
@ -26,7 +26,7 @@ in
             else if cfg.certificateScheme == "selfsigned"
                  then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
                  else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
-                       then "${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem"
+                       then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/fullchain.pem"
                       else throw "unknown certificate scheme";

  # key :: PATH
@ -35,7 +35,7 @@ in
        else if cfg.certificateScheme == "selfsigned"
             then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
              else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
-                   then "${config.security.acme.certs.${cfg.fqdn}.directory}/key.pem"
+                   then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/key.pem"
                   else throw "unknown certificate scheme";

  passwordFiles = let
--- a/mail-server/nginx.nix
+++ b/mail-server/nginx.nix
@ -17,7 +17,7 @@

 { config, pkgs, lib, ... }:

-with (import ./common.nix { inherit config; });
+with (import ./common.nix { inherit config lib pkgs; });

 let
  cfg = config.mailserver;
@ -36,7 +36,7 @@ in
      };
    };

-    security.acme.certs."${cfg.fqdn}".reloadServices = [
+    security.acme.certs."${cfg.acmeCertificateName}".reloadServices = [
      "postfix.service"
      "dovecot2.service"
    ];