Switch to NixOS ACME module for certificate management

Drop most of the existing certificate handling, because we're effectively duplicating functionality that NixOS offers for free with better design, testing and maintainance than what we could provide downstream. The remaining two options are to reference an existing `security.acme.certs` configuration through `mailserver.x509.useACMEHost` or to provide existing key material via `mailserver.x509.certificateFile` and `mailserver.x509.privateKeyFile`. Support for automatic creation of self-signed certificates has been removed, because it is undesirable in public mail setups. The updated setup guide now displays the recommended configuration that relies on the NixOS ACME module, but requires further customization to select a suitable challenge. Co-Authored-By: Emily <git@emilylange.de>
2025-10-19 23:20:00 +02:00
parent 18ee2a44ed
commit 33ba1ff52b
19 changed files with 166 additions and 239 deletions
@@ -196,6 +196,12 @@ in
          multiple languages are present in the configuration.
        '';

+    security.acme.certs = lib.mkIf withACME {
+      ${cfg.x509.useACMEHost} = {
+        reloadServices = [ "dovecot.service" ];
+      };
+    };
+
    # for sieve-test. Shelling it in on demand usually doesnt' work, as it reads
    # the global config and tries to open shared libraries configured in there,
    # which are usually not compatible.
@@ -216,8 +222,8 @@ in
      mailGroup = cfg.vmailGroupName;
      mailUser = cfg.vmailUserName;
      mailLocation = dovecotMaildir;
-      sslServerCert = certificatePath;
-      sslServerKey = keyPath;
+      sslServerCert = x509CertificateFile;
+      sslServerKey = x509PrivateKeyFile;
      enableDHE = lib.mkDefault false;
      enableLmtp = true;
      mailPlugins.globally.enable = lib.optionals cfg.fullTextSearch.enable [
@@ -455,6 +461,10 @@ in
        ${genPasswdScript}
      ''
      + (lib.optionalString cfg.ldap.enable setPwdInLdapConfFile);
+      reloadTriggers = lib.mkIf (!withACME) [
+        x509CertificateFile
+        x509PrivateKeyFile
+      ];
    };

    systemd.services.postfix.restartTriggers = [