mailsystem: Add option to use selfsigned certificates in preparation for testing

2024-12-05 16:04:01 +01:00 · 2024-12-05 16:04:01 +01:00 · a592881b8b
commit a592881b8b
parent 6d6b856bee
5 changed files with 84 additions and 18 deletions
--- a/mailsystem/nginx.nix
+++ b/mailsystem/nginx.nix
@ -3,23 +3,28 @@
  pkgs,
  lib,
  ...
-}: let
+}:
+with (import ./common.nix {inherit config;}); let
  cfg = config.mailsystem;
 in {
-  config = lib.mkIf cfg.enable {
-    services.nginx = {
-      enable = true;
-      virtualHosts."${cfg.fqdn}" = {
-        forceSSL = true;
-        enableACME = true;
+  config =
+    lib.mkIf cfg.enable {
+      services.nginx = {
+        enable = true;
+        virtualHosts."${cfg.fqdn}" = {
+          forceSSL = true;
+          enableACME = cfg.certificateScheme == "acme";
+          sslCertificate = lib.mkIf (cfg.certificateScheme == "selfsigned") sslCertPath;
+          sslCertificateKey = lib.mkIf (cfg.certificateScheme == "selfsigned") sslKeyPath;
+        };
      };
+
+      networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [80 443];
+    }
+    // lib.mkIf (cfg.enable && cfg.certificateScheme == "acme") {
+      security.acme.certs."${cfg.fqdn}".reloadServices = [
+        "postfix.service"
+        "dovecot2.service"
+      ];
    };
-
-    networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [80 443];
-
-    security.acme.certs."${cfg.fqdn}".reloadServices = [
-      "postfix.service"
-      "dovecot2.service"
-    ];
-  };
 }