i have to fix a issue with the overall design first and then i will reopen the PR

sure no problem

ATM i wonder why there is: cert.domain at all. what is the motivation to not just use the attrName as 'domain' key? if no such motivation is there i'd like to rewrite the service and force the attrName to be the domain and get rid of the domain mkOption completely.

The domain option was introduced to make it possible to have different certificates with the same common name (i.e. with different SubjAltNames for different services).

now that @fpletz explained why domain needs to be there i think that this patch is working for both of our use-cases.

@qknight I pushed a simplified proposal to your branch that takes into account what we where saying previously. It still needs a bit of testing. Feel free to revert or change it however you like.

@zimbatm happy to use your modified version. i have to find out what has to be done now, do i merge your stuff now and then sqash-merge it?

yes or keep adding commits to the branch and I'll squash them during merge

another thing i don't understand is security.acme.certs.<name>.webroot. in nixcloud-webservices i'm using a constant here, which points to /var/lib/acme/acme-challenges for all my security.acme.certs.

i assume this value is closely coupled with the vhost abstraction in nginx you guys wrote, is that correct? i'd like to add a example value and a better description to it, any ideas what that could be?

yeah, I didn't build it but I'm pretty sure it's tied to the nginx enableTLS feature. It should work with Apache or any other webserver that can map the .well-known folder to that path. I believe that ACME has other validation methods, in which case this folder would be pretty useless.

@zimbatm if you like it, please merge it. i didn't test 'our' work in production yet, so merge with care. and thanks for your effort, very much appreciated!

@zimbatm @fpletz

regarding default values

at the moment this is the most important patch so that domain is always assigned to a resonable value (not null but a string) by default. this is an important patch, since i want to read the certificates directly and don't have to check if they are null and then "otherwise" use the attrName.

regarding restart/reload

creating the new reload and restart targets was motivated by the idea that one can merge the different configs for a single domain so nixcloud.email could use the same TLS certificates as nixcloud.webservices but since merging does not work our current solution is to use seperate certs for these two use-cases.

this usage still does not exceed the quota of weekly certs of 4.

we could basically drop this from the PR and maybe create a new abstraction: security.TLS which uses security.acme as a backend.

webroot might have to be a unique directory but i'm not sure.

How about creating a new PR with just the default values change?

The rest is less obvious to me and I don't have a setup to test it out right now; I think overall the idea is good, it just needs to be fleshed out a bit more.

@zimbatm yes, this seems to be a good idea. let's skip the restart/reload feature completely for the time being.

@zimbatm

• please check this latest patch and squash merge it.
• after your merge into master i would like to cherry-pick this into 17.09 later on, agreed?

@GrahamcOfBorg test acme

Failure on aarch64-linux (full log)

Package ‘botan-1.10.17’ in /var/lib/gc-of-borg/nix-test-rs-3/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-aarch64-community-3/pkgs/development/libraries/botan/generic.nix:46 is not supported on ‘aarch64-linux’, refusing to evaluate.

a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

Success on x86_64-linux (full log)

webserver: running command: sync
webserver: exit status 0
test script finished in 105.64s
cleaning up
killing client (pid 612)
killing letsencrypt (pid 593)
killing webserver (pid 623)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/tmp/nix-build-vm-test-run-acme.drv-0/vde1.ctl': Directory not empty
/nix/store/7f6jj93lgz7klhdsl6kc2gsqn9cfk4rk-vm-test-run-acme

@qknight looks good to me. It should be safe to be cherry-picked as well.

Any idea on what to name the commit?

something like acme_default_value_via_module_system

Fixed XML in #34683