From 46a0829aa82c5a56e6b6c24aa8d8046c52a716a4 Mon Sep 17 00:00:00 2001
From: Matthew Leach <dev@mattleach.net>
Date: Wed, 28 Jun 2023 20:42:37 +0100
Subject: [PATCH] acme: Add new option acmeCertificateName

Allow the user to specify the name of the ACME configuration that the
mailserver should use. This allows users that request certificates that
aren't the FQDN of the mailserver, for example a wildcard certificate.
---
 default.nix                | 13 +++++++++++++
 mail-server/assertions.nix |  5 +++++
 mail-server/common.nix     |  4 ++--
 mail-server/nginx.nix      |  4 ++--
 4 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/default.nix b/default.nix
index 3abdfbc..6bd499c 100644
--- a/default.nix
+++ b/default.nix
@@ -675,6 +675,19 @@ in
       '';
     };
 
+    acmeCertificateName = mkOption {
+      type = types.str;
+      default = cfg.fqdn;
+      example = "example.com";
+      description = ''
+          ({option}`mailserver.certificateScheme` == `acme`)
+
+        When the `acme` `certificateScheme` is selected, you can use this option
+        to override the default certificate name. This is useful if you've
+        generated a wildcard certificate, for example.
+      '';
+    };
+
     enableImap = mkOption {
       type = types.bool;
       default = true;
diff --git a/mail-server/assertions.nix b/mail-server/assertions.nix
index d2c44ea..2b4b262 100644
--- a/mail-server/assertions.nix
+++ b/mail-server/assertions.nix
@@ -13,5 +13,10 @@
       assertion = config.mailserver.forwards == {};
       message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards";
     }
+  ] ++ lib.optionals (config.mailserver.certificateScheme != "acme") [
+    {
+      assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
+      message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
+    }
   ];
 }
diff --git a/mail-server/common.nix b/mail-server/common.nix
index edea7f0..4e301c5 100644
--- a/mail-server/common.nix
+++ b/mail-server/common.nix
@@ -26,7 +26,7 @@ in
              else if cfg.certificateScheme == "selfsigned"
                   then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
                   else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
-                       then "${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem"
+                       then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/fullchain.pem"
                        else throw "unknown certificate scheme";
 
   # key :: PATH
@@ -35,7 +35,7 @@ in
         else if cfg.certificateScheme == "selfsigned"
              then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
               else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
-                   then "${config.security.acme.certs.${cfg.fqdn}.directory}/key.pem"
+                   then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/key.pem"
                    else throw "unknown certificate scheme";
 
   passwordFiles = let
diff --git a/mail-server/nginx.nix b/mail-server/nginx.nix
index 4f0cb1a..a037f56 100644
--- a/mail-server/nginx.nix
+++ b/mail-server/nginx.nix
@@ -17,7 +17,7 @@
 
 { config, pkgs, lib, ... }:
 
-with (import ./common.nix { inherit config; });
+with (import ./common.nix { inherit config lib pkgs; });
 
 let
   cfg = config.mailserver;
@@ -34,7 +34,7 @@ in
       };
     };
 
-    security.acme.certs."${cfg.fqdn}".reloadServices = [
+    security.acme.certs."${cfg.acmeCertificateName}".reloadServices = [
       "postfix.service"
       "dovecot2.service"
     ];