Switch to NixOS ACME module for certificate management

Drop most of the existing certificate handling, because we're effectively duplicating functionality that NixOS offers for free with better design, testing and maintainance than what we could provide downstream. The remaining two options are to reference an existing `security.acme.certs` configuration through `mailserver.x509.useACMEHost` or to provide existing key material via `mailserver.x509.certificateFile` and `mailserver.x509.privateKeyFile`. Support for automatic creation of self-signed certificates has been removed, because it is undesirable in public mail setups. The updated setup guide now displays the recommended configuration that relies on the NixOS ACME module, but requires further customization to select a suitable challenge. Co-Authored-By: Emily <git@emilylange.de>
2025-10-19 23:20:00 +02:00
parent 18ee2a44ed
commit 33ba1ff52b
19 changed files with 166 additions and 239 deletions
@@ -33,47 +33,16 @@ with (import ./common.nix {

 let
  cfg = config.mailserver;
-  certificatesDeps =
-    if cfg.certificateScheme == "manual" then
-      [ ]
-    else if cfg.certificateScheme == "selfsigned" then
-      [ "mailserver-selfsigned-certificate.service" ]
-    else
-      [ "acme-finished-${cfg.fqdn}.target" ];
-
+  certificateDeps = lib.optionals withACME [
+    "acme-order-renew-${cfg.x509.useACMEHost}.service"
+  ];
 in
 {
  config = lib.mkIf cfg.enable {
-    # Create self signed certificate
-    systemd.services.mailserver-selfsigned-certificate =
-      lib.mkIf (cfg.certificateScheme == "selfsigned")
-        {
-          after = [ "local-fs.target" ];
-          script = ''
-            # Create certificates if they do not exist yet
-            dir="${cfg.certificateDirectory}"
-            fqdn="${cfg.fqdn}"
-            [[ $fqdn == /* ]] && fqdn=$(< "$fqdn")
-            key="$dir/key-${cfg.fqdn}.pem";
-            cert="$dir/cert-${cfg.fqdn}.pem";

-            if [[ ! -f $key || ! -f $cert ]]; then
-                mkdir -p "${cfg.certificateDirectory}"
-                (umask 077; "${pkgs.openssl}/bin/openssl" genrsa -out "$key" 2048) &&
-                    "${pkgs.openssl}/bin/openssl" req -new -key "$key" -x509 -subj "/CN=$fqdn" \
-                            -days 3650 -out "$cert"
-            fi
-          '';
-          serviceConfig = {
-            Type = "oneshot";
-            PrivateTmp = true;
-          };
-        };
-
-    # Create maildir folder before dovecot startup
    systemd.services.dovecot = {
-      wants = certificatesDeps;
-      after = certificatesDeps;
+      wants = certificateDeps;
+      after = certificateDeps;
      preStart =
        let
          directories = lib.strings.escapeShellArgs (
@@ -93,12 +62,12 @@ in

    # Postfix requires dovecot lmtp socket, dovecot auth socket and certificate to work
    systemd.services.postfix = {
-      wants = certificatesDeps;
+      wants = certificateDeps;
      after = [
        "dovecot.service"
      ]
      ++ lib.optional cfg.dkimSigning "rspamd.service"
-      ++ certificatesDeps;
+      ++ certificateDeps;
      requires = [ "dovecot.service" ] ++ lib.optional cfg.dkimSigning "rspamd.service";
    };
  };