Expose ACME support in payjoin directory binary

nothingmuch · nothingmuch · commit f8a147dc4ee3 · 2025-10-08T22:35:53.000+02:00
Currently the certificate cache directory is mandatory. In principle it
doesn't have to be.
diff --git a/payjoin-directory/src/cli.rs b/payjoin-directory/src/cli.rs
@@ -16,6 +16,10 @@ pub struct Cli {
     #[arg(long, env = "PJ_METRIC_PORT", help = "The port to bind for prometheus metrics export")]
     pub metrics_port: Option<u16>, // TODO tokio_listener::ListenerAddressLFlag
 
+    #[cfg(feature = "acme")]
+    #[clap(flatten)]
+    pub acme: AcmeCli,
+
     #[arg(
         long,
         env = "PJ_DIR_TIMEOUT_SECS",
@@ -37,3 +41,22 @@ pub struct Cli {
     )]
     pub ohttp_keys: Option<PathBuf>,
 }
+
+#[cfg(feature = "acme")]
+#[derive(Debug, Parser)]
+pub struct AcmeCli {
+    #[arg(long = "acme-domain", help = "The domain for which to request a certificate using ACME")]
+    pub domain: Option<String>,
+
+    #[arg(
+        long = "acme-contact",
+        help = "Contact information for ACME usage (e.g. 'mailto:admin@example.com')"
+    )]
+    pub contact: Option<String>,
+
+    #[arg(long, help = "Whether to use the staging environment [default: production]")]
+    pub lets_encrypt_staging: Option<bool>,
+
+    #[arg(long = "acme-cache-dir", help = "What directory to use for the ACME cache")]
+    pub cache_dir: Option<PathBuf>,
+}
diff --git a/payjoin-directory/src/config.rs b/payjoin-directory/src/config.rs
@@ -17,6 +17,27 @@ pub struct Config {
     pub timeout: Duration,
     pub storage_dir: PathBuf,
     pub ohttp_keys: PathBuf, // TODO OhttpConfig struct with rotation params, etc
+    #[cfg(feature = "acme")]
+    pub acme: Option<AcmeConfig>,
+}
+
+#[cfg(feature = "acme")]
+#[derive(Debug, Clone, Deserialize)]
+pub struct AcmeConfig {
+    pub domain: String,
+    pub contact: String,
+    pub lets_encrypt_staging: bool,
+    pub cache_dir: PathBuf,
+}
+
+#[cfg(feature = "acme")]
+impl From<AcmeConfig> for tokio_rustls_acme::AcmeConfig<std::io::Error, std::io::Error> {
+    fn from(acme_config: AcmeConfig) -> Self {
+        tokio_rustls_acme::AcmeConfig::new([acme_config.domain])
+            .contact_push(acme_config.contact)
+            .cache(tokio_rustls_acme::caches::DirCache::new(acme_config.cache_dir))
+            .directory_lets_encrypt(!acme_config.lets_encrypt_staging)
+    }
 }
 
 impl Config {
@@ -35,12 +56,23 @@ impl Config {
             timeout: Duration::from_secs(built_config.get("timeout")?),
             storage_dir: built_config.get("storage_dir")?,
             ohttp_keys: built_config.get("ohttp_keys")?,
+            #[cfg(feature = "acme")]
+            acme: if built_config.get_table("acme").is_ok() {
+                Some(AcmeConfig {
+                    domain: built_config.get("acme.domain")?,
+                    contact: built_config.get("acme.contact")?,
+                    lets_encrypt_staging: built_config.get("acme.lets_encrypt_staging")?,
+                    cache_dir: built_config.get("acme.cache_dir")?,
+                })
+            } else {
+                None
+            },
         })
     }
 }
 
 fn add_defaults(config: Builder, cli: &Cli) -> Result<Builder, ConfigError> {
-    config
+    let config = config
         .set_default("listen_addr", "[::]:8080")?
         .set_override_option("listen_addr", cli.port.map(|port| format!("[::]:{}", port)))?
         .set_default("metrics_listen_addr", Option::<String>::None)?
@@ -58,5 +90,21 @@ fn add_defaults(config: Builder, cli: &Cli) -> Result<Builder, ConfigError> {
         .set_override_option(
             "storage_dir",
             cli.storage_dir.clone().map(|s| s.to_string_lossy().into_owned()),
-        )
+        )?;
+
+    #[cfg(feature = "acme")]
+    let config = if cli.acme.domain.is_some() {
+        config
+            .set_override_option("acme.domain", cli.acme.domain.clone())?
+            .set_override_option("acme.contact", cli.acme.contact.clone())?
+            .set_override_option("acme.lets_encrypt_staging", cli.acme.lets_encrypt_staging)?
+            .set_override_option(
+                "acme.cache_dir",
+                cli.acme.cache_dir.clone().map(|s| s.to_string_lossy().into_owned()),
+            )?
+    } else {
+        config
+    };
+
+    Ok(config)
 }
diff --git a/payjoin-directory/src/main.rs b/payjoin-directory/src/main.rs
@@ -38,7 +38,15 @@ async fn main() -> Result<(), BoxError> {
     }
 
     let listener = TcpListener::bind(config.listen_addr).await?;
+
+    #[cfg(feature = "acme")]
+    if let Some(acme_config) = config.acme {
+        service.serve_acme(listener, acme_config.into()).await;
+        return Ok(());
+    }
+
     service.serve_tcp(listener).await;
+
     Ok(())
 }
 

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,15 @@ async fn main() -> Result<(), BoxError> {`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`let listener = TcpListener::bind(config.listen_addr).await?;`
	`41`	`+`
	`42`	`+ #[cfg(feature = "acme")]`
	`43`	`+ if let Some(acme_config) = config.acme {`
	`44`	`+ service.serve_acme(listener, acme_config.into()).await;`
	`45`	`+ return Ok(());`
	`46`	`+ }`
	`47`	`+`
`41`	`48`	`service.serve_tcp(listener).await;`
	`49`	`+`
`42`	`50`	`Ok(())`
`43`	`51`	`}`
`44`	`52`