about summary refs log tree commit diff
path: root/users/tazjin/nixos/koptevo
diff options
context:
space:
mode:
authorVincent Ambo <tazjin@tvl.su>2024-09-14T19·52+0300
committertazjin <tazjin@tvl.su>2024-09-14T23·47+0000
commitadf8a7da8743f7d41e1040660919c374be8cc569 (patch)
tree01b9801101a6999fe217c51c59c1014572e14448 /users/tazjin/nixos/koptevo
parente5edb3b192760fa732670a2db47596a0d4fdd4d5 (diff)
feat(tazjin/nixos): issue wildcard cert for yggdrasil services r/8689
Issue a wildcard certificate using the Yandex Cloud DNS plugin (which is where
DNS for tazj.in is hosted).

Change-Id: I44fa48add660f4f4324ec4b056a81d78c45ff4f4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12481
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Diffstat (limited to 'users/tazjin/nixos/koptevo')
-rw-r--r--users/tazjin/nixos/koptevo/default.nix19
1 files changed, 17 insertions, 2 deletions
diff --git a/users/tazjin/nixos/koptevo/default.nix b/users/tazjin/nixos/koptevo/default.nix
index 8ccd8dae249d..6203c3d93fc1 100644
--- a/users/tazjin/nixos/koptevo/default.nix
+++ b/users/tazjin/nixos/koptevo/default.nix
@@ -72,8 +72,22 @@ in
 
   time.timeZone = "UTC";
 
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = lib.mkForce "acme@tazj.in";
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = lib.mkForce "acme@tazj.in";
+
+    # wildcard cert for usage with Yggdrasil services
+    certs."y.tazj.in" = {
+      dnsProvider = "yandexcloud";
+      credentialFiles.YANDEX_CLOUD_IAM_TOKEN_FILE = "/run/agenix/lego-yandex";
+      extraDomainNames = [ "*.y.tazj.in" ];
+
+      # folder tvl/tazjin-private/default
+      environmentFile = builtins.toFile "lego-yandex-env" ''
+        YANDEX_CLOUD_FOLDER_ID=b1gq41rsbggeum4qafnh
+      '';
+    };
+  };
 
   programs.fish.enable = true;
 
@@ -89,6 +103,7 @@ in
       secretFile = name: depot.users.tazjin.secrets."${name}.age";
     in
     {
+      lego-yandex.file = secretFile "lego-yandex";
       tgsa-yandex.file = secretFile "tgsa-yandex";
     };