Merge pull request 'feat: use hetzner dns to get wildcard cert from lets encrypt' (#5) from wildcard-certificate into main

Reviewed-on: #5

hosts/ami/acme.nix

@@ -1,14 +1,14 @@
-_: {
+{config, ...}: {
+  age.secrets.hetzner-dns.file = ../../secrets/hetzner-dns.age;
+
   security.acme = {
     acceptTerms = true;
     defaults.email = "acme@buffet.sh";
     certs."buffet.sh" = {
-      extraDomainNames = [
-        "404.buffet.sh"
-        "bitwarden.buffet.sh"
-        "rap.buffet.sh"
-        "buffets.kitchen"
-      ];
+      domain = "*.buffet.sh";
+      group = "nginx";
+      dnsProvider = "hetzner";
+      credentialsFile = config.age.secrets.hetzner-dns.path;
     };
   };
 }

hosts/ami/website.nix

@@ -10,7 +10,7 @@
     recommendedTlsSettings = true;
 
     virtualHosts."buffet.sh" = {
-      enableACME = true;
+      useACMEHost = "buffet.sh";
       forceSSL = true;
       root = "${website}";
     };

secrets.nix

@@ -3,6 +3,7 @@ let
 in {
   "secrets/bitwarden.age".publicKeys = [buffet];
   "secrets/borgpassword.age".publicKeys = [buffet];
+  "secrets/hetzner-dns.age".publicKeys = [buffet];
   "secrets/kitchen-runner-token.age".publicKeys = [buffet];
   "secrets/msmtppassword.age".publicKeys = [buffet];
 }

secrets/hetzner-dns.age

@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 zRvPWg 3ihM8FBFjebzTErFkqn6Byfw2D/W45gkwVczLm0I7Tg
+uV3GJXI9zKT1q4/Z3hF1eE8wN5fnDFMyJOH/3bcq+Vk
+--- jcd587gk1OjweyDm7teUUt+6u3A7JXIX0aBEjBJPOBg
+÷Úc;y§_taîŽíiÀ*­˜ÕþÁdKù^à÷x
ÚH+:=1ŒÙo)”
+…¦C„wât&d©u
Î^ŽÔniÅÎzF@