Say I don’t care about the certificate and its security because it’s only meant for local testing. Is there an easy way have nix auto-generate a certificate key pair for me, when configuring services.nginx?
If you enable ACME (with enableACME = true; at the same level of serverName) you get by default a self-signed certificate, until you get a real certificate from Let’s Encrypt, which can as well be never.
If you don’t like having failed units you can have a look at the tests under nixos/tests in nixpkgs, there are many that create test certs and keys with openssl
There are a number of parameters that people would like to tune and adjust according to their needs, I feel that a function like these would either be useful only to a small number of people or a monster of a function if we wanted to parameterize everything, but I may be mistaken.
Also, that would need to emit a warning or some sort of “please don’t shoot yourself in the foot by putting a secret in a world-readable store” opt-in mechanism
Oh no, you do not want to do it this way. This is, fundamentally, a non-reproducible derivation, with private information stored in the nix store. That’s two problems.
You have one derivation that will produce randomized outputs. As your system is updated, this derivation will be rebuilt, and every time that happens, the keys are going to change.
Files stored in the nix store are readable by all users on the system, which is highly recommended against for secret key material like this.
A consequence of the combination of these two problems is that this derivation can be copied around as a Nix derivation, which makes no sense. Randomly generated keys shouldn’t be substitute-able with nix substitution, and in fact the mere possibility of that opens you up to accidentally substituting third-party provided keys, which is a massive security risk.
The correct way to handle keys like this is to generate them at runtime, not at build time, and store them in local (non-nix-store) storage. You should use a systemd service to run the code to do this at the right time during boot.