Merge branch '333.multiple-issuer-domains' into 'develop'

Multiple domains in issuer certificate

See merge request !94

morph/grid/local/config.json

@@ -2,7 +2,7 @@
 , "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
 , "stripeSecretKeyPath": "../../PrivateStorageSecrets/privatestorageio-testing-stripe.secret"
 , "passValue": 1000000
-, "issuerDomain": "payments.localdev"
+, "issuerDomains": ["payments.localdev"]
 , "letsEncryptAdminEmail": "florian@privatestorage.io"
 , "allowedChargeOrigins": [
     "http://localhost:5000"

morph/grid/production/config.json

@@ -2,7 +2,10 @@
 , "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
 , "stripeSecretKeyPath": "./secrets/stripe.secret"
 , "passValue": 1000000
-, "issuerDomain": "payments.privatestorage.io"
+, "issuerDomains": [
+    "payments.private.storage"
+  , "payments.privatestorage.io"
+  ]
 , "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
 , "allowedChargeOrigins": [
     "https://privatestorage.io"

morph/grid/testing/config.json

@@ -2,7 +2,10 @@
 , "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
 , "stripeSecretKeyPath": "./secrets/stripe.secret"
 , "passValue": 1000000
-, "issuerDomain": "payments.privatestorage-staging.com"
+, "issuerDomains": [
+    "payments.privatestorage-staging.com"
+  , "payments.extra.privatestorage-staging.com"
+  ]
 , "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
 , "allowedChargeOrigins": [
     "http://localhost:5000"

morph/lib/make-issuer.nix

 { hardware
 , ristrettoSigningKeyPath
 , stripeSecretKeyPath
-, issuerDomain
+, issuerDomains
 , letsEncryptAdminEmail
 , allowedChargeOrigins
 , sshUsers
@@ -47,7 +47,7 @@
     database = "SQLite3";
     databasePath = "/var/db/vouchers.sqlite3";
     inherit letsEncryptAdminEmail;
-    domain = issuerDomain;
+    domains = issuerDomains;
     inherit allowedChargeOrigins;
   };
 

nixos/modules/issuer.nix

@@ -18,12 +18,11 @@ in {
         The package to use for the ZKAP issuer.
       '';
     };
-    services.private-storage-issuer.domain = lib.mkOption {
-      default = "payments.privatestorage.io";
-      type = lib.types.str;
-      example = lib.literalExample "payments.example.com";
+    services.private-storage-issuer.domains = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      example = lib.literalExample [ "payments.example.com" ];
       description = ''
-        The domain name at which the issuer is reachable.
+        The domain names at which the issuer is reachable.
       '';
     };
     services.private-storage-issuer.tls = lib.mkOption {
@@ -115,6 +114,10 @@ in {
   config =
     let
       certroot = "/var/lib/letsencrypt/live";
+      # We'll refer to this collection of domains by the first domain in the
+      # list.
+      domain = builtins.head cfg.domains;
+      certServiceName = "cert-${domain}";
     in lib.mkIf cfg.enable {
     # Add a systemd service to run PaymentServer.
     systemd.services.zkapissuer = {
@@ -124,7 +127,7 @@ in {
 
       # Make sure we have a certificate the first time, if we are running over
       # TLS and require a certificate.
-      requires = lib.optional cfg.tls "cert-${cfg.domain}.service";
+      requires = lib.optional cfg.tls "${certServiceName}.service";
 
       after = [
         # Make sure there is a network so we can bind to all of the
@@ -133,7 +136,7 @@ in {
       ] ++
         # Make sure we run after the certificate is issued, if we are running
         # over TLS and require a certificate.
-        lib.optional cfg.tls "cert-${cfg.domain}.service";
+        lib.optional cfg.tls "${certServiceName}.service";
 
       # It really shouldn't ever exit on its own!  If it does, it's a bug
       # we'll have to fix.  Restart it and hope it doesn't happen too much
@@ -157,9 +160,9 @@ in {
             if cfg.tls
             then
               "--https-port 443 " +
-              "--https-certificate-path ${certroot}/${cfg.domain}/cert.pem " +
-              "--https-certificate-chain-path ${certroot}/${cfg.domain}/chain.pem " +
-              "--https-key-path ${certroot}/${cfg.domain}/privkey.pem"
+              "--https-certificate-path ${certroot}/${domain}/cert.pem " +
+              "--https-certificate-chain-path ${certroot}/${domain}/chain.pem " +
+              "--https-key-path ${certroot}/${domain}/privkey.pem"
             else
               # Only for automated testing.
               "--http-port 80";
@@ -179,20 +182,20 @@ in {
 
     # Certificate renewal.  We must declare that we *require* it in our
     # service above.
-    systemd.services."cert-${cfg.domain}" = {
+    systemd.services."${certServiceName}" = {
       enable = true;
-      description = "Issue/Renew certificate for ${cfg.domain}";
+      description = "Certificate ${domain}";
       serviceConfig = {
         ExecStart =
         let
           configArgs = "--config-dir /var/lib/letsencrypt --work-dir /var/run/letsencrypt --logs-dir /var/run/log/letsencrypt";
         in
-          pkgs.writeScript "cert-${cfg.domain}-start.sh" ''
+          pkgs.writeScript "cert-${domain}-start.sh" ''
           #!${pkgs.runtimeShell} -e
           # Register if necessary.
           ${pkgs.certbot}/bin/certbot register ${configArgs} --non-interactive --agree-tos -m ${cfg.letsEncryptAdminEmail} || true
           # Obtain the certificate.
-          ${pkgs.certbot}/bin/certbot certonly ${configArgs} --non-interactive --standalone --domains ${cfg.domain}
+          ${pkgs.certbot}/bin/certbot certonly ${configArgs} --non-interactive --standalone --expand --domains ${builtins.concatStringsSep "," cfg.domains}
           '';
       };
     };

nixos/modules/tests/private-storage.nix

@@ -134,7 +134,7 @@ in {
 
       services.private-storage-issuer = {
         enable = true;
-        domain = "issuer";
+        domains = ["issuer"];
         tls = false;
         issuer = "Ristretto";
         inherit ristrettoSigningKeyPath;