From b610c68f92008cca896fa205b44bcb86ed4e954b Mon Sep 17 00:00:00 2001
From: Matthew Leach <dev@mattleach.net>
Date: Wed, 28 Jun 2023 20:42:37 +0100
Subject: [PATCH] acme: Add new option acmeCertificateName

Allow the user to specify the name of the ACME configuration that the
mailserver should use. This allows users that request certificates that
aren't the FQDN of the mailserver, for example a wildcard certificate.
---
 default.nix                | 13 +++++++++++++
 mail-server/assertions.nix |  5 +++++
 mail-server/common.nix     |  4 ++--
 mail-server/nginx.nix      |  4 ++--
 4 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/default.nix b/default.nix
index fdfaee3..eec60db 100644
--- a/default.nix
+++ b/default.nix
@@ -675,6 +675,19 @@ in
       '';
     };
 
+    acmeCertificateName = mkOption {
+      type = types.str;
+      default = cfg.fqdn;
+      example = "example.com";
+      description = ''
+          ({option}`mailserver.certificateScheme` == `acme`)
+
+        When the `acme` `certificateScheme` is selected, you can use this option
+        to override the default certificate name. This is useful if you've
+        generated a wildcard certificate, for example.
+      '';
+    };
+
     enableImap = mkOption {
       type = types.bool;
       default = true;
diff --git a/mail-server/assertions.nix b/mail-server/assertions.nix
index d2c44ea..2b4b262 100644
--- a/mail-server/assertions.nix
+++ b/mail-server/assertions.nix
@@ -13,5 +13,10 @@
       assertion = config.mailserver.forwards == {};
       message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards";
     }
+  ] ++ lib.optionals (config.mailserver.certificateScheme != "acme") [
+    {
+      assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
+      message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
+    }
   ];
 }
diff --git a/mail-server/common.nix b/mail-server/common.nix
index 236530b..ee9c7b9 100644
--- a/mail-server/common.nix
+++ b/mail-server/common.nix
@@ -26,7 +26,7 @@ in
              else if cfg.certificateScheme == "selfsigned"
                   then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
                   else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
-                       then "${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem"
+                       then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/fullchain.pem"
                        else throw "unknown certificate scheme";
 
   # key :: PATH
@@ -35,7 +35,7 @@ in
         else if cfg.certificateScheme == "selfsigned"
              then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
               else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
-                   then "${config.security.acme.certs.${cfg.fqdn}.directory}/key.pem"
+                   then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/key.pem"
                    else throw "unknown certificate scheme";
 
   passwordFiles = let
diff --git a/mail-server/nginx.nix b/mail-server/nginx.nix
index e5fa597..87608e3 100644
--- a/mail-server/nginx.nix
+++ b/mail-server/nginx.nix
@@ -17,7 +17,7 @@
 
 { config, pkgs, lib, ... }:
 
-with (import ./common.nix { inherit config; });
+with (import ./common.nix { inherit config lib pkgs; });
 
 let
   cfg = config.mailserver;
@@ -36,7 +36,7 @@ in
       };
     };
 
-    security.acme.certs."${cfg.fqdn}".reloadServices = [
+    security.acme.certs."${cfg.acmeCertificateName}".reloadServices = [
       "postfix.service"
       "dovecot2.service"
     ];