Add certificate creation and handling to websites

30 files changed, 150 insertions, 168 deletions

diff --git a/modules/websites/default.nix b/modules/websites/default.nix
index 6a18c8a..b76aeea 100644
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -3,6 +3,9 @@ let
   cfg = config.services.websites;
 in
 {
+  options.services.websitesCerts = mkOption {
+    description = "Default websites configuration for certificates as accepted by acme";
+  };
   options.services.websites = with types; mkOption {
     default = {};
     description = "Each type of website to enable will target a distinct httpd server";
@@ -72,6 +75,16 @@ in
           type = attrsOf (submodule {
             options = {
               certName = mkOption { type = string; };
+              addToCerts = mkOption {
+                type = bool;
+                default = false;
+                description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null";
+              };
+              certMainHost = mkOption {
+                type = nullOr string;
+                description = "Use that host as 'main host' for acme certs";
+                default = null;
+              };
               hosts    = mkOption { type = listOf string; };
               root     = mkOption { type = nullOr path; };
               extraConfig = mkOption { type = listOf lines; default = []; };
@@ -145,4 +158,42 @@ in
         ++ [ (redirectVhost icfg.ips) ];
     })
   ) cfg;
+
+  config.security.acme.certs = let
+    typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg;
+    flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
+      attrValues v.vhostConfs
+    ) typesToManage);
+    groupedCerts = attrsets.filterAttrs
+      (_: group: builtins.any (v: v.addToCerts || !isNull v.certMainHost) group)
+      (lists.groupBy (v: v.certName) flatVhosts);
+    groupToDomain = group:
+      let
+        nonNull = builtins.filter (v: !isNull v.certMainHost) group;
+        domains = lists.unique (map (v: v.certMainHost) nonNull);
+      in
+        if builtins.length domains == 0
+          then null
+          else assert (builtins.length domains == 1); (elemAt domains 0);
+    extraDomains = group:
+      let
+        mainDomain = groupToDomain group;
+      in
+        lists.remove mainDomain (
+          lists.unique (
+            lists.flatten (map (c: optionals (c.addToCerts || !isNull c.certMainHost) c.hosts) group)
+          )
+        );
+  in attrsets.mapAttrs (k: g:
+    if (!isNull (groupToDomain g))
+    then config.services.websitesCerts // {
+      domain = groupToDomain g;
+      extraDomains = builtins.listToAttrs (
+        map (d: attrsets.nameValuePair d null) (extraDomains g));
+    }
+    else {
+      extraDomains = builtins.listToAttrs (
+        map (d: attrsets.nameValuePair d null) (extraDomains g));
+    }
+  ) groupedCerts;
 }
diff --git a/nixops/modules/certificates.nix b/nixops/modules/certificates.nix
index 08f84fd..d648ff7 100644
--- a/nixops/modules/certificates.nix
+++ b/nixops/modules/certificates.nix
@@ -15,6 +15,8 @@
   };
 
   config = {
+    services.websitesCerts = config.services.myCertificates.certConfig;
+
     security.acme.preliminarySelfsigned = true;
 
     security.acme.certs = {
diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix
index feb3be8..426aa68 100644
--- a/nixops/modules/task/default.nix
+++ b/nixops/modules/task/default.nix
@@ -101,10 +101,10 @@ in {
           SetEnv TASKD_LDAP_FILTER   "${env.ldap.search}"
         '';
     }];
-    security.acme.certs."eldiron".extraDomains.${fqdn} = null;
     services.websites.tools.modules = [ "proxy_fcgi" "sed" ];
     services.websites.tools.vhostConfs.task = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = [ "task.immae.eu" ];
       root        = "/run/current-system/webapps/_task";
       extraConfig = [ ''
diff --git a/nixops/modules/websites/aten/default.nix b/nixops/modules/websites/aten/default.nix
index fd002a5..a9e75b6 100644
--- a/nixops/modules/websites/aten/default.nix
+++ b/nixops/modules/websites/aten/default.nix
@@ -25,13 +25,6 @@ in {
       secrets.keys = aten_prod.keys;
       services.webstats.sites = [ { name = "aten.pro"; } ];
 
-      security.acme.certs."aten" = config.services.myCertificates.certConfig // {
-        domain = "aten.pro";
-        extraDomains = {
-          "www.aten.pro" = null;
-        };
-      };
-
       services.myPhpfpm.preStart.aten_prod = aten_prod.phpFpm.preStart;
       services.myPhpfpm.serviceDependencies.aten_prod = aten_prod.phpFpm.serviceDeps;
       services.myPhpfpm.poolConfigs.aten_prod = aten_prod.phpFpm.pool;
@@ -42,15 +35,15 @@ in {
         '';
       services.websites.production.modules = aten_prod.apache.modules;
       services.websites.production.vhostConfs.aten = {
-        certName    = "aten";
-        hosts       = [ "aten.pro" "www.aten.pro" ];
-        root        = aten_prod.apache.root;
-        extraConfig = [ aten_prod.apache.vhostConf ];
+        certName     = "aten";
+        certMainHost = "aten.pro";
+        hosts        = [ "aten.pro" "www.aten.pro" ];
+        root         = aten_prod.apache.root;
+        extraConfig  = [ aten_prod.apache.vhostConf ];
       };
     })
     (lib.mkIf cfg.integration.enable {
       secrets.keys = aten_dev.keys;
-      security.acme.certs."eldiron".extraDomains."dev.aten.pro" = null;
       services.myPhpfpm.preStart.aten_dev = aten_dev.phpFpm.preStart;
       services.myPhpfpm.serviceDependencies.aten_dev = aten_dev.phpFpm.serviceDeps;
       services.myPhpfpm.poolConfigs.aten_dev = aten_dev.phpFpm.pool;
@@ -62,6 +55,7 @@ in {
       services.websites.integration.modules = aten_dev.apache.modules;
       services.websites.integration.vhostConfs.aten = {
         certName    = "eldiron";
+        addToCerts  = true;
         hosts       = [ "dev.aten.pro" ];
         root        = aten_dev.apache.root;
         extraConfig = [ aten_dev.apache.vhostConf ];
diff --git a/nixops/modules/websites/capitaines/default.nix b/nixops/modules/websites/capitaines/default.nix
index 0d85266..4bbf488 100644
--- a/nixops/modules/websites/capitaines/default.nix
+++ b/nixops/modules/websites/capitaines/default.nix
@@ -13,20 +13,17 @@ in {
   };
 
   config = lib.mkIf cfg.production.enable {
-    security.acme.certs."capitaines" = config.services.myCertificates.certConfig // {
-      domain = "mastodon.capitaines.fr";
-      extraDomains = { "capitaines.fr" = null; };
-    };
     system.extraSystemBuilderCmds = ''
       mkdir -p $out/webapps
       ln -s ${siteDir} $out/webapps/${webappName}
       '';
 
     services.websites.production.vhostConfs.capitaines_mastodon = {
-      certName    = "capitaines";
-      hosts       = [ "mastodon.capitaines.fr" ];
-      root        = root;
-      extraConfig = [
+      certName     = "capitaines";
+      certMainHost = "mastodon.capitaines.fr";
+      hosts        = [ "mastodon.capitaines.fr" ];
+      root         = root;
+      extraConfig  = [
         ''
         ErrorDocument 404 /index.html
         <Directory ${root}>
@@ -39,9 +36,10 @@ in {
     };
 
     services.websites.production.vhostConfs.capitaines = {
-      certName = "capitaines";
-      hosts    = [ "capitaines.fr" ];
-      root     = "/run/current-system/webapps/_www";
+      certName   = "capitaines";
+      addToCerts = true;
+      hosts      = [ "capitaines.fr" ];
+      root       = "/run/current-system/webapps/_www";
       extraConfig = [ ''
         <Directory /run/current-system/webapps/_www>
           DirectoryIndex index.htm
diff --git a/nixops/modules/websites/chloe/default.nix b/nixops/modules/websites/chloe/default.nix
index ba72d92..8e801b5 100644
--- a/nixops/modules/websites/chloe/default.nix
+++ b/nixops/modules/websites/chloe/default.nix
@@ -25,13 +25,6 @@ in {
       secrets.keys = chloe_prod.keys;
       services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ];
 
-      security.acme.certs."chloe" = config.services.myCertificates.certConfig // {
-        domain = "osteopathe-cc.fr";
-        extraDomains = {
-          "www.osteopathe-cc.fr" = null;
-        };
-      };
-
       services.myPhpfpm.serviceDependencies.chloe_prod = chloe_prod.phpFpm.serviceDeps;
       services.myPhpfpm.poolConfigs.chloe_prod = chloe_prod.phpFpm.pool;
       services.myPhpfpm.poolPhpConfigs.chloe_prod = ''
@@ -44,15 +37,15 @@ in {
         '';
       services.websites.production.modules = chloe_prod.apache.modules;
       services.websites.production.vhostConfs.chloe = {
-        certName    = "chloe";
-        hosts       = ["osteopathe-cc.fr" "www.osteopathe-cc.fr" ];
-        root        = chloe_prod.apache.root;
-        extraConfig = [ chloe_prod.apache.vhostConf ];
+        certName     = "chloe";
+        certMainHost = "osteopathe-cc.fr";
+        hosts        = ["osteopathe-cc.fr" "www.osteopathe-cc.fr" ];
+        root         = chloe_prod.apache.root;
+        extraConfig  = [ chloe_prod.apache.vhostConf ];
       };
     })
     (lib.mkIf cfg.integration.enable {
       secrets.keys = chloe_dev.keys;
-      security.acme.certs."eldiron".extraDomains."chloe.immae.eu" = null;
       services.myPhpfpm.serviceDependencies.chloe_dev = chloe_dev.phpFpm.serviceDeps;
       services.myPhpfpm.poolConfigs.chloe_dev = chloe_dev.phpFpm.pool;
       services.myPhpfpm.poolPhpConfigs.chloe_dev = ''
@@ -66,6 +59,7 @@ in {
       services.websites.integration.modules = chloe_dev.apache.modules;
       services.websites.integration.vhostConfs.chloe = {
         certName    = "eldiron";
+        addToCerts  = true;
         hosts       = ["chloe.immae.eu" ];
         root        = chloe_dev.apache.root;
         extraConfig = [ chloe_dev.apache.vhostConf ];
diff --git a/nixops/modules/websites/connexionswing/default.nix b/nixops/modules/websites/connexionswing/default.nix
index 3643e19..20c5166 100644
--- a/nixops/modules/websites/connexionswing/default.nix
+++ b/nixops/modules/websites/connexionswing/default.nix
@@ -25,15 +25,6 @@ in {
       secrets.keys = connexionswing_prod.keys;
       services.webstats.sites = [ { name = "connexionswing.com"; } ];
 
-      security.acme.certs."connexionswing" = config.services.myCertificates.certConfig // {
-        domain = "connexionswing.com";
-        extraDomains = {
-          "www.connexionswing.com" = null;
-          "sandetludo.com" = null;
-          "www.sandetludo.com" = null;
-        };
-      };
-
       services.myPhpfpm.preStart.connexionswing_prod = connexionswing_prod.phpFpm.preStart;
       services.myPhpfpm.serviceDependencies.connexionswing_prod = connexionswing_prod.phpFpm.serviceDeps;
       services.myPhpfpm.poolConfigs.connexionswing_prod = connexionswing_prod.phpFpm.pool;
@@ -45,16 +36,15 @@ in {
         '';
       services.websites.production.modules = connexionswing_prod.apache.modules;
       services.websites.production.vhostConfs.connexionswing = {
-        certName    = "connexionswing";
-        hosts       = ["connexionswing.com" "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ];
-        root        = connexionswing_prod.apache.root;
-        extraConfig = [ connexionswing_prod.apache.vhostConf ];
+        certName     = "connexionswing";
+        certMainHost = "connexionswing.com";
+        hosts        = ["connexionswing.com" "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ];
+        root         = connexionswing_prod.apache.root;
+        extraConfig  = [ connexionswing_prod.apache.vhostConf ];
       };
     })
     (lib.mkIf cfg.integration.enable {
       secrets.keys = connexionswing_dev.keys;
-      security.acme.certs."eldiron".extraDomains."sandetludo.immae.eu" = null;
-      security.acme.certs."eldiron".extraDomains."connexionswing.immae.eu" = null;
       services.myPhpfpm.preStart.connexionswing_dev = connexionswing_dev.phpFpm.preStart;
       services.myPhpfpm.serviceDependencies.connexionswing_dev = connexionswing_dev.phpFpm.serviceDeps;
       services.myPhpfpm.poolConfigs.connexionswing_dev = connexionswing_dev.phpFpm.pool;
@@ -67,6 +57,7 @@ in {
       services.websites.integration.modules = connexionswing_dev.apache.modules;
       services.websites.integration.vhostConfs.connexionswing = {
         certName    = "eldiron";
+        addToCerts  = true;
         hosts       = ["connexionswing.immae.eu" "sandetludo.immae.eu" ];
         root        = connexionswing_dev.apache.root;
         extraConfig = [ connexionswing_dev.apache.vhostConf ];
diff --git a/nixops/modules/websites/emilia/default.nix b/nixops/modules/websites/emilia/default.nix
index 4e32bec..47257b7 100644
--- a/nixops/modules/websites/emilia/default.nix
+++ b/nixops/modules/websites/emilia/default.nix
@@ -47,13 +47,6 @@ in {
   };
 
   config = lib.mkIf cfg.production.enable {
-    security.acme.certs."emilia" = config.services.myCertificates.certConfig // {
-      domain = "saison-photo.org";
-      extraDomains = {
-        "www.saison-photo.org" = null;
-      };
-    };
-
     system.activationScripts.emilia = ''
       install -m 0755 -o wwwrun -g wwwrun -d ${varDir}
       '';
@@ -62,10 +55,11 @@ in {
       ln -s ${siteDir} $out/webapps/${webappName}
       '';
     services.websites.production.vhostConfs.emilia = {
-      certName    = "emilia";
-      hosts       = [ "saison-photo.org" "www.saison-photo.org" ];
-      root        = root;
-      extraConfig = [
+      certName     = "emilia";
+      certMainHost = "saison-photo.org";
+      hosts        = [ "saison-photo.org" "www.saison-photo.org" ];
+      root         = root;
+      extraConfig  = [
         ''
         <Directory ${root}>
           DirectoryIndex pause.html
diff --git a/nixops/modules/websites/ftp/denisejerome.nix b/nixops/modules/websites/ftp/denisejerome.nix
index fa31430..884fb62 100644
--- a/nixops/modules/websites/ftp/denisejerome.nix
+++ b/nixops/modules/websites/ftp/denisejerome.nix
@@ -13,15 +13,12 @@ in {
   config = lib.mkIf cfg.production.enable {
     services.webstats.sites = [ { name = "denisejerome.piedsjaloux.fr"; } ];
 
-    security.acme.certs."denisejerome" = config.services.myCertificates.certConfig // {
-      domain = "denisejerome.piedsjaloux.fr";
-    };
-
     services.websites.production.vhostConfs.denisejerome = {
-      certName    = "denisejerome";
-      hosts       = ["denisejerome.piedsjaloux.fr" ];
-      root        = varDir;
-      extraConfig = [
+      certName     = "denisejerome";
+      certMainHost = "denisejerome.piedsjaloux.fr";
+      hosts        = ["denisejerome.piedsjaloux.fr" ];
+      root         = varDir;
+      extraConfig  = [
         ''
         Use Stats denisejerome.piedsjaloux.fr
 
diff --git a/nixops/modules/websites/ftp/florian.nix b/nixops/modules/websites/ftp/florian.nix
index 8097507..ebd461e 100644
--- a/nixops/modules/websites/ftp/florian.nix
+++ b/nixops/modules/websites/ftp/florian.nix
@@ -17,19 +17,14 @@ in {
   config = lib.mkMerge [
     (lib.mkIf cfg.production.enable {
       security.acme.certs."ftp".extraDomains."tellesflorian.com" = null;
-      security.acme.certs."florian" = config.services.myCertificates.certConfig // {
-        domain = "tellesflorian.com";
-        extraDomains = {
-          "www.tellesflorian.com" = null;
-        };
-      };
 
       services.websites.production.modules = adminer.apache.modules;
       services.websites.production.vhostConfs.florian = {
-        certName    = "florian";
-        hosts       = [ "tellesflorian.com" "www.tellesflorian.com" ];
-        root        = "${varDir}/tellesflorian.com";
-        extraConfig = [
+        certName     = "florian";
+        certMainHost = "tellesflorian.com";
+        hosts        = [ "tellesflorian.com" "www.tellesflorian.com" ];
+        root         = "${varDir}/tellesflorian.com";
+        extraConfig  = [
           adminer.apache.vhostConf
           ''
           ServerAdmin ${env.server_admin}
@@ -47,11 +42,11 @@ in {
 
     (lib.mkIf cfg.integration.enable {
       security.acme.certs."ftp".extraDomains."florian.immae.eu" = null;
-      security.acme.certs."eldiron".extraDomains."florian.immae.eu" = null;
 
       services.websites.integration.modules = adminer.apache.modules;
       services.websites.integration.vhostConfs.florian = {
         certName    = "eldiron";
+        addToCerts  = true;
         hosts       = [ "florian.immae.eu" ];
         root        = "${varDir}/florian.immae.eu";
         extraConfig = [
diff --git a/nixops/modules/websites/ftp/immae.nix b/nixops/modules/websites/ftp/immae.nix
index e188d95..2ba30a1 100644
--- a/nixops/modules/websites/ftp/immae.nix
+++ b/nixops/modules/websites/ftp/immae.nix
@@ -13,8 +13,6 @@ in {
   config = lib.mkIf cfg.production.enable {
     services.webstats.sites = [ { name = "www.immae.eu"; } ];
 
-    security.acme.certs."eldiron".extraDomains."www.immae.eu" = null;
-
     services.myPhpfpm.poolConfigs.immae = ''
       listen = /run/phpfpm/immae.sock
       user = wwwrun
@@ -31,6 +29,7 @@ in {
     services.websites.production.modules = [ "proxy_fcgi" ];
     services.websites.production.vhostConfs.immae = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = [ "www.immae.eu" ];
       root        = varDir;
       extraConfig = [
@@ -56,10 +55,9 @@ in {
       ];
     };
 
-    security.acme.certs."eldiron".extraDomains."bouya.org" = null;
-    security.acme.certs."eldiron".extraDomains."www.bouya.org" = null;
     services.websites.production.vhostConfs.bouya = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = [ "bouya.org" "www.bouya.org" ];
       root        = null;
       extraConfig = [ ''
diff --git a/nixops/modules/websites/ftp/jerome.nix b/nixops/modules/websites/ftp/jerome.nix
index a340644..d00c42d 100644
--- a/nixops/modules/websites/ftp/jerome.nix
+++ b/nixops/modules/websites/ftp/jerome.nix
@@ -15,9 +15,6 @@ in {
     services.webstats.sites = [ { name = "naturaloutil.immae.eu"; } ];
 
     security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null;
-    security.acme.certs."naturaloutil" = config.services.myCertificates.certConfig // {
-      domain = "naturaloutil.immae.eu";
-    };
 
     secrets.keys = [{
       dest = "webapps/prod-naturaloutil";
@@ -60,10 +57,11 @@ in {
       '';
     services.websites.production.modules = adminer.apache.modules ++ [ "proxy_fcgi" ];
     services.websites.production.vhostConfs.naturaloutil = {
-      certName    = "naturaloutil";
-      hosts       = ["naturaloutil.immae.eu" ];
-      root        = varDir;
-      extraConfig = [
+      certName     = "naturaloutil";
+      certMainHost = "naturaloutil.immae.eu";
+      hosts        = ["naturaloutil.immae.eu" ];
+      root         = varDir;
+      extraConfig  = [
         adminer.apache.vhostConf
         ''
         Use Stats naturaloutil.immae.eu
diff --git a/nixops/modules/websites/ftp/leila.nix b/nixops/modules/websites/ftp/leila.nix
index 5185372..14bfa20 100644
--- a/nixops/modules/websites/ftp/leila.nix
+++ b/nixops/modules/websites/ftp/leila.nix
@@ -10,15 +10,6 @@ in {
   };
 
   config = (lib.mkIf cfg.production.enable {
-      security.acme.certs."leila" = config.services.myCertificates.certConfig // {
-        domain = "leila.bouya.org";
-        extraDomains = {
-          "chorale.leila.bouya.org" = null;
-          "chorale-vocanta.fr.nf" = null;
-          "www.chorale-vocanta.fr.nf" = null;
-        };
-      };
-
       services.myPhpfpm.poolConfigs.leila = ''
         listen = /run/phpfpm/leila.sock
         user = wwwrun
@@ -41,6 +32,7 @@ in {
       services.websites.production.modules = [ "proxy_fcgi" ];
       services.websites.production.vhostConfs.leila_chorale = {
         certName    = "leila";
+        addToCerts  = true;
         hosts       = [ "chorale.leila.bouya.org" "chorale-vocanta.fr.nf" "www.chorale-vocanta.fr.nf" ];
         root        = "${varDir}/Chorale";
         extraConfig = [
@@ -62,10 +54,11 @@ in {
         ];
       };
       services.websites.production.vhostConfs.leila = {
-        certName    = "leila";
-        hosts       = [ "leila.bouya.org" ];
-        root        = varDir;
-        extraConfig = [
+        certName     = "leila";
+        certMainHost = "leila.bouya.org";
+        hosts        = [ "leila.bouya.org" ];
+        root         = varDir;
+        extraConfig  = [
           ''
           Use Stats leila.bouya.org
           <Directory ${varDir}/Chorale>
diff --git a/nixops/modules/websites/ftp/nassime.nix b/nixops/modules/websites/ftp/nassime.nix
index 9ed8a80..3c982d3 100644
--- a/nixops/modules/websites/ftp/nassime.nix
+++ b/nixops/modules/websites/ftp/nassime.nix
@@ -14,15 +14,13 @@ in {
     services.webstats.sites = [ { name = "nassime.bouya.org"; } ];
 
     security.acme.certs."ftp".extraDomains."nassime.bouya.org" = null;
-    security.acme.certs."nassime" = config.services.myCertificates.certConfig // {
-      domain = "nassime.bouya.org";
-    };
 
     services.websites.production.vhostConfs.nassime = {
-      certName    = "nassime";
-      hosts       = ["nassime.bouya.org" ];
-      root        = varDir;
-      extraConfig = [
+      certName     = "nassime";
+      certMainHost = "nassime.bouya.org";
+      hosts        = ["nassime.bouya.org" ];
+      root         = varDir;
+      extraConfig  = [
         ''
         Use Stats nassime.bouya.org
         ServerAdmin ${env.server_admin}
diff --git a/nixops/modules/websites/ftp/papa.nix b/nixops/modules/websites/ftp/papa.nix
index cdbc1b0..c8d05ef 100644
--- a/nixops/modules/websites/ftp/papa.nix
+++ b/nixops/modules/websites/ftp/papa.nix
@@ -11,9 +11,6 @@ in {
 
   config = lib.mkIf cfg.production.enable {
     security.acme.certs."ftp".extraDomains."surveillance.maison.bbc.bouya.org" = null;
-    security.acme.certs."papa" = config.services.myCertificates.certConfig // {
-      domain = "surveillance.maison.bbc.bouya.org";
-    };
 
     services.cron = {
       systemCronJobs = let
@@ -35,10 +32,11 @@ in {
     };
 
     services.websites.production.vhostConfs.papa = {
-      certName    = "papa";
-      hosts       = [ "surveillance.maison.bbc.bouya.org" ];
-      root        = varDir;
-      extraConfig = [
+      certName     = "papa";
+      certMainHost = "surveillance.maison.bbc.bouya.org";
+      hosts        = [ "surveillance.maison.bbc.bouya.org" ];
+      root         = varDir;
+      extraConfig  = [
         ''
         Use Apaxy "${varDir}" "title .duplicity-ignore"
         <Directory ${varDir}>
diff --git a/nixops/modules/websites/ftp/release.nix b/nixops/modules/websites/ftp/release.nix
index 2ddd8bc..db3487f 100644
--- a/nixops/modules/websites/ftp/release.nix
+++ b/nixops/modules/websites/ftp/release.nix
@@ -13,10 +13,9 @@ in {
   config = lib.mkIf cfg.production.enable {
     services.webstats.sites = [ { name = "release.immae.eu"; } ];
 
-    security.acme.certs."eldiron".extraDomains."release.immae.eu" = null;
-
     services.websites.production.vhostConfs.release = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = [ "release.immae.eu" ];
       root        = varDir;
       extraConfig = [
diff --git a/nixops/modules/websites/ftp/temp.nix b/nixops/modules/websites/ftp/temp.nix
index bdd80c0..86dfde3 100644
--- a/nixops/modules/websites/ftp/temp.nix
+++ b/nixops/modules/websites/ftp/temp.nix
@@ -11,11 +11,10 @@ in {
   };
 
   config = lib.mkIf cfg.production.enable {
-    security.acme.certs."eldiron".extraDomains."temp.immae.eu" = null;
-
     services.websites.production.modules = [ "headers" ];
     services.websites.production.vhostConfs.temp = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = [ "temp.immae.eu" ];
       root        = varDir;
       extraConfig = [
diff --git a/nixops/modules/websites/ludivine/default.nix b/nixops/modules/websites/ludivine/default.nix
index dfeff0a..70d5199 100644
--- a/nixops/modules/websites/ludivine/default.nix
+++ b/nixops/modules/websites/ludivine/default.nix
@@ -25,13 +25,6 @@ in {
       secrets.keys = ludivinecassal_prod.keys;
       services.webstats.sites = [ { name = "ludivinecassal.com"; } ];
 
-      security.acme.certs."ludivinecassal" = config.services.myCertificates.certConfig // {
-        domain = "ludivinecassal.com";
-        extraDomains = {
-          "www.ludivinecassal.com" = null;
-        };
-      };
-
       services.myPhpfpm.preStart.ludivinecassal_prod = ludivinecassal_prod.phpFpm.preStart;
       services.myPhpfpm.serviceDependencies.ludivinecassal_prod = ludivinecassal_prod.phpFpm.serviceDeps;
       services.myPhpfpm.poolConfigs.ludivinecassal_prod = ludivinecassal_prod.phpFpm.pool;
@@ -42,15 +35,15 @@ in {
         '';
       services.websites.production.modules = ludivinecassal_prod.apache.modules;
       services.websites.production.vhostConfs.ludivine = {
-        certName    = "ludivinecassal";
-        hosts       = ["ludivinecassal.com" "www.ludivinecassal.com" ];
-        root        = ludivinecassal_prod.apache.root;
-        extraConfig = [ ludivinecassal_prod.apache.vhostConf ];
+        certName     = "ludivinecassal";
+        certMainHost = "ludivinecassal.com";
+        hosts        = ["ludivinecassal.com" "www.ludivinecassal.com" ];
+        root         = ludivinecassal_prod.apache.root;
+        extraConfig  = [ ludivinecassal_prod.apache.vhostConf ];
       };
     })
     (lib.mkIf cfg.integration.enable {
       secrets.keys = ludivinecassal_dev.keys;
-      security.acme.certs."eldiron".extraDomains."ludivine.immae.eu" = null;
 
       services.myPhpfpm.preStart.ludivinecassal_dev = ludivinecassal_dev.phpFpm.preStart;
       services.myPhpfpm.serviceDependencies.ludivinecassal_dev = ludivinecassal_dev.phpFpm.serviceDeps;
@@ -63,6 +56,7 @@ in {
       services.websites.integration.modules = ludivinecassal_dev.apache.modules;
       services.websites.integration.vhostConfs.ludivine = {
         certName    = "eldiron";
+        addToCerts  = true;
         hosts       = [ "ludivine.immae.eu" ];
         root        = ludivinecassal_dev.apache.root;
         extraConfig = [ ludivinecassal_dev.apache.vhostConf ];
diff --git a/nixops/modules/websites/piedsjaloux/default.nix b/nixops/modules/websites/piedsjaloux/default.nix
index 6ffb19c..a5ee24f 100644
--- a/nixops/modules/websites/piedsjaloux/default.nix
+++ b/nixops/modules/websites/piedsjaloux/default.nix
@@ -25,13 +25,6 @@ in {
       secrets.keys = piedsjaloux_prod.keys;
       services.webstats.sites = [ { name = "piedsjaloux.fr"; } ];
 
-      security.acme.certs."piedsjaloux" = config.services.myCertificates.certConfig // {
-        domain = "piedsjaloux.fr";
-        extraDomains = {
-          "www.piedsjaloux.fr" = null;
-        };
-      };
-
       services.myPhpfpm.preStart.piedsjaloux_prod = piedsjaloux_prod.phpFpm.preStart;
       services.myPhpfpm.serviceDependencies.piedsjaloux_prod = piedsjaloux_prod.phpFpm.serviceDeps;
       services.myPhpfpm.poolConfigs.piedsjaloux_prod = piedsjaloux_prod.phpFpm.pool;
@@ -42,15 +35,15 @@ in {
         '';
       services.websites.production.modules = piedsjaloux_prod.apache.modules;
       services.websites.production.vhostConfs.piedsjaloux = {
-        certName    = "piedsjaloux";
-        hosts       = [ "piedsjaloux.fr" "www.piedsjaloux.fr" ];
-        root        = piedsjaloux_prod.apache.root;
-        extraConfig = [ piedsjaloux_prod.apache.vhostConf ];
+        certName     = "piedsjaloux";
+        certMainHost = "piedsjaloux.fr";
+        hosts        = [ "piedsjaloux.fr" "www.piedsjaloux.fr" ];
+        root         = piedsjaloux_prod.apache.root;
+        extraConfig  = [ piedsjaloux_prod.apache.vhostConf ];
       };
     })
     (lib.mkIf cfg.integration.enable {
       secrets.keys = piedsjaloux_dev.keys;
-      security.acme.certs."eldiron".extraDomains."piedsjaloux.immae.eu" = null;
       services.myPhpfpm.preStart.piedsjaloux_dev = piedsjaloux_dev.phpFpm.preStart;
       services.myPhpfpm.serviceDependencies.piedsjaloux_dev = piedsjaloux_dev.phpFpm.serviceDeps;
       services.myPhpfpm.poolConfigs.piedsjaloux_dev = piedsjaloux_dev.phpFpm.pool;
@@ -62,6 +55,7 @@ in {
       services.websites.integration.modules = piedsjaloux_dev.apache.modules;
       services.websites.integration.vhostConfs.piedsjaloux = {
         certName    = "eldiron";
+        addToCerts  = true;
         hosts       = [ "piedsjaloux.immae.eu" ];
         root        = piedsjaloux_dev.apache.root;
         extraConfig = [ piedsjaloux_dev.apache.vhostConf ];
diff --git a/nixops/modules/websites/tellesflorian/default.nix b/nixops/modules/websites/tellesflorian/default.nix
index eb02174..bbbde07 100644
--- a/nixops/modules/websites/tellesflorian/default.nix
+++ b/nixops/modules/websites/tellesflorian/default.nix
@@ -17,7 +17,6 @@ in {
 
   config = lib.mkIf cfg.integration.enable {
     secrets.keys = tellesflorian_dev.keys;
-    security.acme.certs."eldiron".extraDomains."app.tellesflorian.com" = null;
     services.myPhpfpm.preStart.tellesflorian_dev = tellesflorian_dev.phpFpm.preStart;
     services.myPhpfpm.serviceDependencies.tellesflorian_dev = tellesflorian_dev.phpFpm.serviceDeps;
     services.myPhpfpm.poolConfigs.tellesflorian_dev = tellesflorian_dev.phpFpm.pool;
@@ -29,6 +28,7 @@ in {
     services.websites.integration.modules = adminer.apache.modules ++ tellesflorian_dev.apache.modules;
     services.websites.integration.vhostConfs.tellesflorian = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = ["app.tellesflorian.com" ];
       root        = tellesflorian_dev.apache.root;
       extraConfig = [
diff --git a/nixops/modules/websites/tools/cloud.nix b/nixops/modules/websites/tools/cloud.nix
index 69b5fb0..5e010f4 100644
--- a/nixops/modules/websites/tools/cloud.nix
+++ b/nixops/modules/websites/tools/cloud.nix
@@ -49,12 +49,11 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    security.acme.certs."eldiron".extraDomains."cloud.immae.eu" = null;
-
     services.websites.tools.modules = [ "proxy_fcgi" ];
 
     services.websites.tools.vhostConfs.cloud = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = ["cloud.immae.eu" ];
       root        = apacheRoot;
       extraConfig = [
diff --git a/nixops/modules/websites/tools/dav/default.nix b/nixops/modules/websites/tools/dav/default.nix
index ea2105b..075cf48 100644
--- a/nixops/modules/websites/tools/dav/default.nix
+++ b/nixops/modules/websites/tools/dav/default.nix
@@ -27,13 +27,12 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    security.acme.certs."eldiron".extraDomains."dav.immae.eu" = null;
-
     secrets.keys = davical.keys;
     services.websites.tools.modules = davical.apache.modules;
 
     services.websites.tools.vhostConfs.dav = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = ["dav.immae.eu" ];
       root        = null;
       extraConfig = [
diff --git a/nixops/modules/websites/tools/db.nix b/nixops/modules/websites/tools/db.nix
index 70650fa..7c15c23 100644
--- a/nixops/modules/websites/tools/db.nix
+++ b/nixops/modules/websites/tools/db.nix
@@ -9,11 +9,10 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    security.acme.certs."eldiron".extraDomains."db-1.immae.eu" = null;
-
     services.websites.tools.modules = adminer.apache.modules;
     services.websites.tools.vhostConfs.db-1 = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = ["db-1.immae.eu" ];
       root        = null;
       extraConfig = [ adminer.apache.vhostConf ];
diff --git a/nixops/modules/websites/tools/diaspora.nix b/nixops/modules/websites/tools/diaspora.nix
index 221e01c..ee5507d 100644
--- a/nixops/modules/websites/tools/diaspora.nix
+++ b/nixops/modules/websites/tools/diaspora.nix
@@ -148,13 +148,13 @@ in {
     services.websites.tools.modules = [
       "headers" "proxy" "proxy_http"
     ];
-    security.acme.certs."eldiron".extraDomains."diaspora.immae.eu" = null;
     system.extraSystemBuilderCmds = ''
       mkdir -p $out/webapps
       ln -s ${dcfg.workdir}/public/ $out/webapps/tools_diaspora
       '';
     services.websites.tools.vhostConfs.diaspora = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = [ "diaspora.immae.eu" ];
       root        = root;
       extraConfig = [ ''
diff --git a/nixops/modules/websites/tools/ether.nix b/nixops/modules/websites/tools/ether.nix
index 6222b22..8c9bbb1 100644
--- a/nixops/modules/websites/tools/ether.nix
+++ b/nixops/modules/websites/tools/ether.nix
@@ -136,9 +136,9 @@ in {
     services.websites.tools.modules = [
       "headers" "proxy" "proxy_http" "proxy_wstunnel"
     ];
-    security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
     services.websites.tools.vhostConfs.etherpad-lite = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = [ "ether.immae.eu" ];
       root        = null;
       extraConfig = [ ''
diff --git a/nixops/modules/websites/tools/git/default.nix b/nixops/modules/websites/tools/git/default.nix
index ea0d971..064d3dd 100644
--- a/nixops/modules/websites/tools/git/default.nix
+++ b/nixops/modules/websites/tools/git/default.nix
@@ -13,8 +13,6 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    security.acme.certs."eldiron".extraDomains."git.immae.eu" = null;
-
     secrets.keys = mantisbt.keys;
     services.websites.tools.modules =
       gitweb.apache.modules ++
@@ -27,6 +25,7 @@ in {
 
     services.websites.tools.vhostConfs.git = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = ["git.immae.eu" ];
       root        = gitweb.apache.root;
       extraConfig = [
diff --git a/nixops/modules/websites/tools/mastodon.nix b/nixops/modules/websites/tools/mastodon.nix
index 38b2107..ffd59dd 100644
--- a/nixops/modules/websites/tools/mastodon.nix
+++ b/nixops/modules/websites/tools/mastodon.nix
@@ -67,13 +67,13 @@ in {
     services.websites.tools.modules = [
       "headers" "proxy" "proxy_wstunnel" "proxy_http"
     ];
-    security.acme.certs."eldiron".extraDomains."mastodon.immae.eu" = null;
     system.extraSystemBuilderCmds = ''
       mkdir -p $out/webapps
       ln -s ${mcfg.workdir}/public/ $out/webapps/tools_mastodon
       '';
     services.websites.tools.vhostConfs.mastodon = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = ["mastodon.immae.eu" ];
       root        = root;
       extraConfig = [ ''
diff --git a/nixops/modules/websites/tools/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin.nix
index 8a6f03f..eb56b35 100644
--- a/nixops/modules/websites/tools/mediagoblin.nix
+++ b/nixops/modules/websites/tools/mediagoblin.nix
@@ -83,9 +83,9 @@ in {
       "proxy" "proxy_http"
     ];
     users.users.wwwrun.extraGroups = [ "mediagoblin" ];
-    security.acme.certs."eldiron".extraDomains."mgoblin.immae.eu" = null;
     services.websites.tools.vhostConfs.mgoblin = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = ["mgoblin.immae.eu" ];
       root        = null;
       extraConfig = [ ''
diff --git a/nixops/modules/websites/tools/peertube.nix b/nixops/modules/websites/tools/peertube.nix
index 6cc6d38..12ab3c4 100644
--- a/nixops/modules/websites/tools/peertube.nix
+++ b/nixops/modules/websites/tools/peertube.nix
@@ -153,9 +153,9 @@ in {
     services.websites.tools.modules = [
       "headers" "proxy" "proxy_http" "proxy_wstunnel"
     ];
-    security.acme.certs."eldiron".extraDomains."peertube.immae.eu" = null;
     services.websites.tools.vhostConfs.peertube = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = [ "peertube.immae.eu" ];
       root        = null;
       extraConfig = [ ''
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
index 5e84f45..061c004 100644
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/nixops/modules/websites/tools/tools/default.nix
@@ -46,9 +46,6 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null;
-    security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null;
-
     secrets.keys =
       kanboard.keys
       ++ ldap.keys
@@ -86,6 +83,7 @@ in {
 
     services.websites.integration.vhostConfs.devtools = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = ["devtools.immae.eu" ];
       root        = "/var/lib/ftp/devtools.immae.eu";
       extraConfig = [
@@ -105,6 +103,7 @@ in {
 
     services.websites.tools.vhostConfs.tools = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = ["tools.immae.eu" ];
       root        = "/var/lib/ftp/tools.immae.eu";
       extraConfig = [
@@ -132,11 +131,11 @@ in {
       ];
     };
 
-    security.acme.certs."eldiron".extraDomains."outils.immae.eu" = null;
     services.websites.tools.vhostConfs.outils = {
-      certName = "eldiron";
-      hosts    = [ "outils.immae.eu" ];
-      root     = null;
+      certName   = "eldiron";
+      addToCerts = true;
+      hosts      = [ "outils.immae.eu" ];
+      root       = null;
       extraConfig = [
         ''
         RedirectMatch 301 ^/mediagoblin(.*)$ https://mgoblin.immae.eu$1