3 files changed, 18 insertions, 2 deletions

diff --git a/users/tazjin/nixos/koptevo/default.nix b/users/tazjin/nixos/koptevo/default.nix
index 8ccd8dae249d..6203c3d93fc1 100644
--- a/users/tazjin/nixos/koptevo/default.nix
+++ b/users/tazjin/nixos/koptevo/default.nix
@@ -72,8 +72,22 @@ in
 
   time.timeZone = "UTC";
 
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = lib.mkForce "acme@tazj.in";
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = lib.mkForce "acme@tazj.in";
+
+    # wildcard cert for usage with Yggdrasil services
+    certs."y.tazj.in" = {
+      dnsProvider = "yandexcloud";
+      credentialFiles.YANDEX_CLOUD_IAM_TOKEN_FILE = "/run/agenix/lego-yandex";
+      extraDomainNames = [ "*.y.tazj.in" ];
+
+      # folder tvl/tazjin-private/default
+      environmentFile = builtins.toFile "lego-yandex-env" ''
+        YANDEX_CLOUD_FOLDER_ID=b1gq41rsbggeum4qafnh
+      '';
+    };
+  };
 
   programs.fish.enable = true;
 
@@ -89,6 +103,7 @@ in
       secretFile = name: depot.users.tazjin.secrets."${name}.age";
     in
     {
+      lego-yandex.file = secretFile "lego-yandex";
       tgsa-yandex.file = secretFile "tgsa-yandex";
     };
 
diff --git a/users/tazjin/secrets/lego-yandex.age b/users/tazjin/secrets/lego-yandex.age
new file mode 100644
index 000000000000..10524a9577c2
--- /dev/null
+++ b/users/tazjin/secrets/lego-yandex.age
Binary files differdiff --git a/users/tazjin/secrets/secrets.nix b/users/tazjin/secrets/secrets.nix
index 12f12f721c6c..a29bd30b7766 100644
--- a/users/tazjin/secrets/secrets.nix
+++ b/users/tazjin/secrets/secrets.nix
@@ -13,4 +13,5 @@ in
   "geesefs-tazjins-files.age".publicKeys = allKeys;
   "miniflux.age".publicKeys = allKeys;
   "tgsa-yandex.age".publicKeys = allKeys;
+  "lego-yandex.age".publicKeys = allKeys;
 }