acme: Add new option acmeCertificateName

Allow the user to specify the name of the ACME configuration that the
mailserver should use. This allows users that request certificates that
aren't the FQDN of the mailserver, for example a wildcard certificate.
This commit is contained in:
Matthew Leach 2023-06-28 20:42:37 +01:00
parent 41059fc548
commit 46a0829aa8
4 changed files with 22 additions and 4 deletions

View File

@ -675,6 +675,19 @@ in
''; '';
}; };
acmeCertificateName = mkOption {
type = types.str;
default = cfg.fqdn;
example = "example.com";
description = ''
({option}`mailserver.certificateScheme` == `acme`)
When the `acme` `certificateScheme` is selected, you can use this option
to override the default certificate name. This is useful if you've
generated a wildcard certificate, for example.
'';
};
enableImap = mkOption { enableImap = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;

View File

@ -13,5 +13,10 @@
assertion = config.mailserver.forwards == {}; assertion = config.mailserver.forwards == {};
message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards"; message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards";
} }
] ++ lib.optionals (config.mailserver.certificateScheme != "acme") [
{
assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
}
]; ];
} }

View File

@ -26,7 +26,7 @@ in
else if cfg.certificateScheme == "selfsigned" else if cfg.certificateScheme == "selfsigned"
then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem" then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx" else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
then "${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem" then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/fullchain.pem"
else throw "unknown certificate scheme"; else throw "unknown certificate scheme";
# key :: PATH # key :: PATH
@ -35,7 +35,7 @@ in
else if cfg.certificateScheme == "selfsigned" else if cfg.certificateScheme == "selfsigned"
then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem" then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx" else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
then "${config.security.acme.certs.${cfg.fqdn}.directory}/key.pem" then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/key.pem"
else throw "unknown certificate scheme"; else throw "unknown certificate scheme";
passwordFiles = let passwordFiles = let

View File

@ -17,7 +17,7 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
with (import ./common.nix { inherit config; }); with (import ./common.nix { inherit config lib pkgs; });
let let
cfg = config.mailserver; cfg = config.mailserver;
@ -34,7 +34,7 @@ in
}; };
}; };
security.acme.certs."${cfg.fqdn}".reloadServices = [ security.acme.certs."${cfg.acmeCertificateName}".reloadServices = [
"postfix.service" "postfix.service"
"dovecot2.service" "dovecot2.service"
]; ];