diff options
author | Vincent Ambo <tazjin@tvl.su> | 2024-09-14T19·52+0300 |
---|---|---|
committer | tazjin <tazjin@tvl.su> | 2024-09-14T23·47+0000 |
commit | adf8a7da8743f7d41e1040660919c374be8cc569 (patch) | |
tree | 01b9801101a6999fe217c51c59c1014572e14448 /users/tazjin/nixos/koptevo | |
parent | e5edb3b192760fa732670a2db47596a0d4fdd4d5 (diff) |
feat(tazjin/nixos): issue wildcard cert for yggdrasil services r/8689
Issue a wildcard certificate using the Yandex Cloud DNS plugin (which is where DNS for tazj.in is hosted). Change-Id: I44fa48add660f4f4324ec4b056a81d78c45ff4f4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/12481 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
Diffstat (limited to 'users/tazjin/nixos/koptevo')
-rw-r--r-- | users/tazjin/nixos/koptevo/default.nix | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/users/tazjin/nixos/koptevo/default.nix b/users/tazjin/nixos/koptevo/default.nix index 8ccd8dae249d..6203c3d93fc1 100644 --- a/users/tazjin/nixos/koptevo/default.nix +++ b/users/tazjin/nixos/koptevo/default.nix @@ -72,8 +72,22 @@ in time.timeZone = "UTC"; - security.acme.acceptTerms = true; - security.acme.defaults.email = lib.mkForce "acme@tazj.in"; + security.acme = { + acceptTerms = true; + defaults.email = lib.mkForce "acme@tazj.in"; + + # wildcard cert for usage with Yggdrasil services + certs."y.tazj.in" = { + dnsProvider = "yandexcloud"; + credentialFiles.YANDEX_CLOUD_IAM_TOKEN_FILE = "/run/agenix/lego-yandex"; + extraDomainNames = [ "*.y.tazj.in" ]; + + # folder tvl/tazjin-private/default + environmentFile = builtins.toFile "lego-yandex-env" '' + YANDEX_CLOUD_FOLDER_ID=b1gq41rsbggeum4qafnh + ''; + }; + }; programs.fish.enable = true; @@ -89,6 +103,7 @@ in secretFile = name: depot.users.tazjin.secrets."${name}.age"; in { + lego-yandex.file = secretFile "lego-yandex"; tgsa-yandex.file = secretFile "tgsa-yandex"; }; |