fix: make sure the cert is valid on *all* domains

hosts/ami/acme.nix

@@ -5,11 +5,14 @@
     acceptTerms = true;
     defaults.email = "acme@buffet.sh";
     certs."buffet.sh" = {
-      domain = "*.buffet.sh";
-      extraDomainNames = ["*.buffets.kitchen"];
       group = "nginx";
       dnsProvider = "hetzner";
       credentialsFile = config.age.secrets.hetzner-dns.path;
+
+      extraDomainNames = [
+        "*.buffet.sh"
+        "buffets.kitchen"
+      ];
     };
   };
 }