[fugitive] Set up wildcard cert

lib/modules/headscale/default.nix

@@ -17,7 +17,7 @@ in {
 
   services.nginx.virtualHosts."${domain}" = {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "enclave.ctsk.dev";
     locations."/".proxyPass = "http://127.0.0.1:${toString port}";
     locations."/".proxyWebsockets = true;
   };

lib/systems/fugitive/default.nix

@@ -1,4 +1,4 @@
-{ impermanence, pkgs, ... }:
+{ config, pkgs, agenix, ... }:
 
 let 
 
@@ -67,6 +67,10 @@ in
     };
   };
 
+  age = {
+    secrets.namecheap.file = ../../../secrets/namecheap.age;
+  };
+
   security = {
     sudo = {
       wheelNeedsPassword = false;
@@ -76,7 +80,14 @@ in
     };
     acme = {
       acceptTerms = true;
-      defaults.email = "cert@ctsk.xyz";
+      defaults.email = "monitor@ctsk.dev";
+      
+      certs."enclave.ctsk.dev" = {
+        dnsProvider = "namecheap";
+        environmentFile = config.age.secrets.namecheap.path;
+        group = "nginx";
+        extraDomainNames = [ "*.enclave.ctsk.dev" ];
+      };
     };
   };
 

lib/systems/fugitive/hardware.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, lib, pkgs, modulesPath, impermanence, ... }:
 
 {
   imports =