From 5671fa2396886c038ed0c28af9797e8b16786783 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= <felix@alternativebit.fr>
Date: Sat, 26 Oct 2019 00:40:51 +0200
Subject: [PATCH 1/2] nixos/modules/security/acme.nix: add server option

Add a new option permitting to point certbot to an ACME Directory
Resource URI other than Let's Encrypt production/staging one.

In the meantime, we are deprecating the now useless Let's Encrypt
production flag.
---
 nixos/modules/security/acme.nix | 44 ++++++++++++++++++++++-----------
 1 file changed, 29 insertions(+), 15 deletions(-)

diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index cbeb99cfcef..d14613f22b0 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -20,6 +20,16 @@ let
         '';
       };
 
+      server = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          ACME Directory Resource URI. Defaults to let's encrypt
+          production endpoint,
+          https://acme-v02.api.letsencrypt.org/directory, if unset.
+        '';
+      };
+
       domain = mkOption {
         type = types.str;
         default = name;
@@ -109,7 +119,15 @@ in
 {
 
   ###### interface
+  imports = [
+    (mkRemovedOptionModule [ "security" "acme" "production" ] ''
+      Use security.acme.server to define your staging ACME server URL instead.
 
+      To use the let's encrypt staging server, use security.acme.server =
+      "https://acme-staging-v02.api.letsencrypt.org/directory".
+    ''
+    )
+  ];
   options = {
     security.acme = {
 
@@ -129,6 +147,16 @@ in
         '';
       };
 
+      server = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          ACME Directory Resource URI. Defaults to let's encrypt
+          production endpoint,
+          <literal>https://acme-v02.api.letsencrypt.org/directory</literal>, if unset.
+        '';
+      };
+
       preliminarySelfsigned = mkOption {
         type = types.bool;
         default = true;
@@ -142,20 +170,6 @@ in
         '';
       };
 
-      production = mkOption {
-        type = types.bool;
-        default = true;
-        description = ''
-          If set to true, use Let's Encrypt's production environment
-          instead of the staging environment. The main benefit of the
-          staging environment is to get much higher rate limits.
-
-          See
-          <literal>https://letsencrypt.org/docs/staging-environment</literal>
-          for more detail.
-        '';
-      };
-
       certs = mkOption {
         default = { };
         type = with types; attrsOf (submodule certOpts);
@@ -198,7 +212,7 @@ in
                           ++ optionals (data.email != null) [ "--email" data.email ]
                           ++ concatMap (p: [ "-f" p ]) data.plugins
                           ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains)
-                          ++ optionals (!cfg.production) ["--server" "https://acme-staging-v02.api.letsencrypt.org/directory"];
+                          ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
                 acmeService = {
                   description = "Renew ACME Certificate for ${cert}";
                   after = [ "network.target" "network-online.target" ];

From 781f0cf2ec3d18afa7e9f276ea87da4017934fee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= <felix@alternativebit.fr>
Date: Sat, 26 Oct 2019 00:45:19 +0200
Subject: [PATCH 2/2] nixos/tests/acme.nix: remove pebble custom endpoint patch

The recent custom endpoint addition allows us to directly point
certbot to the custom Pebble directory endpoint.

Thanks to that, we can ditch the Pebble patch we were using so far;
making this test maintenance easier.
---
 nixos/tests/acme.nix                          |  9 +++++--
 ...ACME-directory-endpoint-to-directory.patch | 25 -------------------
 nixos/tests/common/letsencrypt/default.nix    | 12 +--------
 3 files changed, 8 insertions(+), 38 deletions(-)
 delete mode 100644 nixos/tests/common/letsencrypt/0001-Change-ACME-directory-endpoint-to-directory.patch

diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix
index 85d32d10944..206d97849f0 100644
--- a/nixos/tests/acme.nix
+++ b/nixos/tests/acme.nix
@@ -12,8 +12,11 @@ in import ./make-test.nix {
       networking.extraHosts = ''
         ${config.networking.primaryIPAddress} standalone.com
       '';
-      security.acme.certs."standalone.com" = {
-        webroot = "/var/lib/acme/acme-challenges";
+      security.acme = {
+        server = "https://acme-v02.api.letsencrypt.org/dir";
+        certs."standalone.com" = {
+            webroot = "/var/lib/acme/acme-challenges";
+        };
       };
       systemd.targets."acme-finished-standalone.com" = {};
       systemd.services."acme-standalone.com" = {
@@ -54,6 +57,8 @@ in import ./make-test.nix {
         '';
       };
 
+      security.acme.server = "https://acme-v02.api.letsencrypt.org/dir";
+
       nesting.clone = [
         ({pkgs, ...}: {
 
diff --git a/nixos/tests/common/letsencrypt/0001-Change-ACME-directory-endpoint-to-directory.patch b/nixos/tests/common/letsencrypt/0001-Change-ACME-directory-endpoint-to-directory.patch
deleted file mode 100644
index 9d4a483dd88..00000000000
--- a/nixos/tests/common/letsencrypt/0001-Change-ACME-directory-endpoint-to-directory.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From c3b4004386074342d22cab5e129c1f7e623f4272 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= <felix@alternativebit.fr>
-Date: Mon, 21 Oct 2019 10:56:13 +0200
-Subject: [PATCH] Change ACME directory endpoint to /directory
-
----
- wfe/wfe.go | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/wfe/wfe.go b/wfe/wfe.go
-index e24797f..10d29fb 100644
---- a/wfe/wfe.go
-+++ b/wfe/wfe.go
-@@ -39,7 +39,7 @@ const (
- 	// Note: We deliberately pick endpoint paths that differ from Boulder to
- 	// exercise clients processing of the /directory response
- 	// We export the DirectoryPath so that the pebble binary can reference it
--	DirectoryPath     = "/dir"
-+	DirectoryPath     = "/directory"
- 	noncePath         = "/nonce-plz"
- 	newAccountPath    = "/sign-me-up"
- 	acctPath          = "/my-account/"
--- 
-2.23.0
-
diff --git a/nixos/tests/common/letsencrypt/default.nix b/nixos/tests/common/letsencrypt/default.nix
index aaf2896f21c..110a2520971 100644
--- a/nixos/tests/common/letsencrypt/default.nix
+++ b/nixos/tests/common/letsencrypt/default.nix
@@ -62,17 +62,7 @@ let
   siteDomain = "letsencrypt.org";
   siteCertFile = snakeOilCerts.${siteDomain}.cert;
   siteKeyFile = snakeOilCerts.${siteDomain}.key;
-  pebble = pkgs.pebble.overrideAttrs (attrs: {
-    # The pebble directory endpoint is /dir when the bouder (official
-    # ACME server) is /directory. Sadly, this endpoint is hardcoded,
-    # we have to patch it.
-    #
-    # Tried to upstream, that said upstream maintainers rather keep
-    # this custom endpoint to test ACME clients robustness. See
-    # https://github.com/letsencrypt/pebble/issues/283#issuecomment-545123242
-    patches = [ ./0001-Change-ACME-directory-endpoint-to-directory.patch ];
-  });
-
+  pebble = pkgs.pebble;
   resolver = let
     message = "You need to define a resolver for the letsencrypt test module.";
     firstNS = lib.head config.networking.nameservers;