[fugitive] Set up wildcard cert

lib/modules/headscale/default.nix

@@ -17,7 +17,7 @@ in {
 
   services.nginx.virtualHosts."${domain}" = {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "enclave.ctsk.dev";
     locations."/".proxyPass = "http://127.0.0.1:${toString port}";
     locations."/".proxyWebsockets = true;
   };

lib/systems/fugitive/default.nix

@@ -1,4 +1,4 @@
-{ impermanence, pkgs, ... }:
+{ config, pkgs, agenix, ... }:
 
 let 
 
@@ -67,6 +67,10 @@ in
     };
   };
 
+  age = {
+    secrets.namecheap.file = ../../../secrets/namecheap.age;
+  };
+
   security = {
     sudo = {
       wheelNeedsPassword = false;
@@ -76,7 +80,14 @@ in
     };
     acme = {
       acceptTerms = true;
-      defaults.email = "cert@ctsk.xyz";
+      defaults.email = "monitor@ctsk.dev";
+      
+      certs."enclave.ctsk.dev" = {
+        dnsProvider = "namecheap";
+        environmentFile = config.age.secrets.namecheap.path;
+        group = "nginx";
+        extraDomainNames = [ "*.enclave.ctsk.dev" ];
+      };
     };
   };
 

lib/systems/fugitive/hardware.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, lib, pkgs, modulesPath, impermanence, ... }:
 
 {
   imports =

secrets/namecheap.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 jfi4TQ Mr2LVSJ3Qs03ZQm6/QXpl0Cj5szDcS96FykXk5WLnw0
+hHTV/lno3zsmJbxQLvMxBO8CPXBUpFkDuS5595QHpsE
+-> <{fBHP-grease FcCEA :6 SSUZ y,$Ho
+JzJVrqUxVGP8TMZkNaj9Og3kvL3buI6b+DSfkDg/UBqVAign2dcvOh0njPFHDRDd
+7jK+4c1x9e8fdas4Z+ceorzj4TYYTYLVakc68MV9FbJ9LOmn
+--- L6xbkwzb4O64N0mM/L7I/+o/Z+MABEZhlzGoszoCapY
+fx

secrets/secrets.nix

@@ -0,0 +1,6 @@
+let
+  fugitive = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHVatfyuEoMyvQedoS/dvjPg9NZZYlmWgUnNOGvwVe6";
+in
+{
+  "namecheap.age".publicKeys = [ fugitive ];
+}