From d6eb3aa28b0d4b2ea0d06d2684f4787e03986f09 Mon Sep 17 00:00:00 2001
From: buffet <dev@buffet.sh>
Date: Wed, 22 May 2024 08:32:00 +0200
Subject: [PATCH] feat: use hetzner dns to get wildcard cert from lets encrypt

---
 hosts/ami/acme.nix      | 14 +++++++-------
 hosts/ami/website.nix   |  2 +-
 secrets.nix             |  1 +
 secrets/hetzner-dns.age |  6 ++++++
 4 files changed, 15 insertions(+), 8 deletions(-)
 create mode 100644 secrets/hetzner-dns.age

diff --git a/hosts/ami/acme.nix b/hosts/ami/acme.nix
index 713030f..c9af121 100644
--- a/hosts/ami/acme.nix
+++ b/hosts/ami/acme.nix
@@ -1,14 +1,14 @@
-_: {
+{config, ...}: {
+  age.secrets.hetzner-dns.file = ../../secrets/hetzner-dns.age;
+
   security.acme = {
     acceptTerms = true;
     defaults.email = "acme@buffet.sh";
     certs."buffet.sh" = {
-      extraDomainNames = [
-        "404.buffet.sh"
-        "bitwarden.buffet.sh"
-        "rap.buffet.sh"
-        "buffets.kitchen"
-      ];
+      domain = "*.buffet.sh";
+      group = "nginx";
+      dnsProvider = "hetzner";
+      credentialsFile = config.age.secrets.hetzner-dns.path;
     };
   };
 }
diff --git a/hosts/ami/website.nix b/hosts/ami/website.nix
index ebc18a7..b5bb3fb 100644
--- a/hosts/ami/website.nix
+++ b/hosts/ami/website.nix
@@ -10,7 +10,7 @@
     recommendedTlsSettings = true;
 
     virtualHosts."buffet.sh" = {
-      enableACME = true;
+      useACMEHost = "buffet.sh";
       forceSSL = true;
       root = "${website}";
     };
diff --git a/secrets.nix b/secrets.nix
index 1335d0b..f478d4d 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -3,6 +3,7 @@ let
 in {
   "secrets/bitwarden.age".publicKeys = [buffet];
   "secrets/borgpassword.age".publicKeys = [buffet];
+  "secrets/hetzner-dns.age".publicKeys = [buffet];
   "secrets/kitchen-runner-token.age".publicKeys = [buffet];
   "secrets/msmtppassword.age".publicKeys = [buffet];
 }
diff --git a/secrets/hetzner-dns.age b/secrets/hetzner-dns.age
new file mode 100644
index 0000000..56970a6
--- /dev/null
+++ b/secrets/hetzner-dns.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 zRvPWg 3ihM8FBFjebzTErFkqn6Byfw2D/W45gkwVczLm0I7Tg
+uV3GJXI9zKT1q4/Z3hF1eE8wN5fnDFMyJOH/3bcq+Vk
+--- jcd587gk1OjweyDm7teUUt+6u3A7JXIX0aBEjBJPOBg
+÷Úc;y§_taîŽíiÀ*­˜ÕþÁdKù^à÷x
ÚH+:=1ŒÙo)”
+…¦C„wât&d©u
Î^ŽÔniÅÎzF@
\ No newline at end of file
-- 
2.46.0