From adf8a7da8743f7d41e1040660919c374be8cc569 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@tvl.su>
Date: Sat, 14 Sep 2024 22:52:54 +0300
Subject: [PATCH] feat(tazjin/nixos): issue wildcard cert for yggdrasil
 services

Issue a wildcard certificate using the Yandex Cloud DNS plugin (which is where
DNS for tazj.in is hosted).

Change-Id: I44fa48add660f4f4324ec4b056a81d78c45ff4f4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12481
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
---
 users/tazjin/nixos/koptevo/default.nix |  19 +++++++++++++++++--
 users/tazjin/secrets/lego-yandex.age   | Bin 0 -> 3886 bytes
 users/tazjin/secrets/secrets.nix       |   1 +
 3 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 users/tazjin/secrets/lego-yandex.age

diff --git a/users/tazjin/nixos/koptevo/default.nix b/users/tazjin/nixos/koptevo/default.nix
index 8ccd8dae2..6203c3d93 100644
--- a/users/tazjin/nixos/koptevo/default.nix
+++ b/users/tazjin/nixos/koptevo/default.nix
@@ -72,8 +72,22 @@ in
 
   time.timeZone = "UTC";
 
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = lib.mkForce "acme@tazj.in";
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = lib.mkForce "acme@tazj.in";
+
+    # wildcard cert for usage with Yggdrasil services
+    certs."y.tazj.in" = {
+      dnsProvider = "yandexcloud";
+      credentialFiles.YANDEX_CLOUD_IAM_TOKEN_FILE = "/run/agenix/lego-yandex";
+      extraDomainNames = [ "*.y.tazj.in" ];
+
+      # folder tvl/tazjin-private/default
+      environmentFile = builtins.toFile "lego-yandex-env" ''
+        YANDEX_CLOUD_FOLDER_ID=b1gq41rsbggeum4qafnh
+      '';
+    };
+  };
 
   programs.fish.enable = true;
 
@@ -89,6 +103,7 @@ in
       secretFile = name: depot.users.tazjin.secrets."${name}.age";
     in
     {
+      lego-yandex.file = secretFile "lego-yandex";
       tgsa-yandex.file = secretFile "tgsa-yandex";
     };
 
diff --git a/users/tazjin/secrets/lego-yandex.age b/users/tazjin/secrets/lego-yandex.age
new file mode 100644
index 0000000000000000000000000000000000000000..10524a9577c2fc07becd8362eea33451171316f6
GIT binary patch
literal 3886
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSnNiI(GDOU(FbWQdO
zEB8w@D=A1e2r>@LFNjDnFAXXv@J#netw@Z_Nq3GgGmG+bcjYoD&nfiQE)Dd|Oe_fr
zDsYN4E=f1{3ko#P2sSEm&P=g%&kFR(kE}2ZDo3}iD%rU-!%?9y#m%{_(8wUzEyyLz
zG|$w>F~rZUq%6WPx!ld)OWV7=)Gy1iBF)J+tDGx4+1V$z$k*ISyEr#DD=#TE+srRB
zIa$BV#K0mw+{noyNIzHK&9R^;#~0nUf(*-?%yfnP5J&IAu;Q|asM5fcAoKi4x59$p
z#N4Rh;!w+^)SOVSH1i-oV~adv7ZWZoZ-a~wBNJ0|{gMDvN6%0vXQP}dw@5>u)bg;R
z%%p(ilFGcuG-Fpo-%xbh97{}n6Vnw^{LG_VlRZi!Ds%Ik%A(AYwT-Gm6Mela!ZR$q
z3_UBNj57_~Qi_88vrV`%@-l-g1JW{sQ}V*SbNsU%s|*5NOAS1n3q36}O%sz-{qmjC
zoXbPXa?-hUb#)bj{9Llb90LtAJ(IJ|OUuJEi;BG5OfvLK9Sze8%PR^~{mauVLw%ET
z3{1Gf*SLN@FTwsVsC)Vp$4lJqrh2S$VH)f8l5V-YzW-KVMEcX|`H#;9{tQ~#aE2+T
zt@t8K#f!=^p?g~!8j7|~zmp|UzPu~zui@+$KSe_d?98=={C-TEc)9PTvh=ziaz9R}
zUi+fuBJtlUO|C-ZCp-7fpBnsKD><CJ?5{DXb@*(~eR_M5@s5u2O)eLmr3~M`3n*%J
z(U;u)R6(X*;*-z3JIBl4<Zd$FY5UIf&fW4wOLzOd)-g(M6xrX`vBA70COEsyT5wVP
zk;tg^YiHM%Csy=o-F_&>#NT<`$k@2%%DH-mUV$?ovLx?^I^SxL>2$R_HvbN5?8n+=
zZi|CX#WTc7^shf1c*AMiN-w_T_j^7nFs#>4H^260(v>2Y6~7o0#C2oNxO{wE6na{3
zg2b&qa~3uFb^gD4&+Nv_w+)Rv<;PD4*4fqRsi~GUUQE&4v_L;P$WnBV)t2t<t)^lh
zU$?)uez+lFg-9d&um1m<k4#dGR%YIp6Yy=BWT+O#aXop<nu*LV#})@M|4BP!c$w{Q
z-50ys$s6B1arM}f)f%^L*_I8feHU%p8+Uraxs~i**^BL1I&w7r*HvvQxicrM<IgE$
zm+0-!tup*??@Q$mv^F@v<9*w1c}14+N^yNwrJA*dTW=h5P4C~fjnUZU`)TE;cGmBi
zedSJ{ToTosWHc?})dI<w2f}Y=-}@NQbJe?Nhsqm<7tGBQM5apU-?$jr64Y7rB7U8_
zqu!5czp^hcbxsc0|GoRQ!iiUQk~hzuk$JZ%wC>#Ue%)#@GrNDE=W~U7U#n?YBg|Wu
zx3Xr-zmw*Zm+jQ%)oYnJkN;fgbsyQOjxX<ibKme_UHVq59S3(mQ<MK?F!3JWUT4?W
z6LZ7w7tc$YWVfkZ$7&L5VO3cB-dW8%4o4IP#(qAzFppv5vww>Y|F#hBN?xiPwOeU|
zR_sdE!m0YFRz`DJ9NC`#Dyb`Gida{b*6F(!y5F8%kY{<VFJx~1_1zO#%75&RoagHN
zkR$(BvNDgd@l{>*h96ba;yygBPJfyg%_h12)*t1W{~dQaES@A~!|Kv>en!*f9#=Dm
ztv&`PZb==jP^~)an&!qQ);X6m;dIxdTSug0*?KzGZqa-D$ZP-eUCT_bo-EZr<E2%q
z#A3NBJy_^N=Y(sFKP@K-huHI;`h5R_>bK>mu72%|Iv{-GmFRmj-wA#Zy~fh=ob7?d
z43!eR`)_vgm%e*ulAQWR{-@AS`Cpp-{N36Y7RvP}vI#Q#JX^{Cxg*x3MQ_^{;b(7N
z-@18+-E~f&65|ikSTTl&zmF<T)-o!KNjtN*zFF|gEz4Vr;+OjbWJkntINT0uZ!b^z
z;;hv=+i;8L(#_RB-hchNWSL0)+~5UgW1~N8j$(NFkA*MEBu_ud-RCnmL&3*mz0Xf9
z=>B~nuclvExGzViu-<%Qj`%UFl@|hMw{9-aUdt5Pc2%f*SAU>_*4_En&Nun>=5Fj)
zW1I3&>Wt#*#{WsWK_}bKTN<Zdoi){2c2&mdpjB$0Ri@5L@lf%8_^LDG?9bB;6IeDB
zWnWku^?AZ=onIdr6qn?@buwER>)HH^i^IZwsdW9G1yN0@YnA%uY`J72BXIut$C=)#
z;deKe?|ztZwP5y(O1Im)XDQV6J!?5WyD9UtiZ641X7;MvJ5}Uo{LgPMmu0!={_bi*
zwU^+vL;Y;`>{xF4bsU^4_wI#2apKSR%HNe+H@<O{h-CR*!F}WCj)S{JuYEkudEP1V
zj>7l*b@v*1g~gxT4L6@|ulDQZr#bBJ1mth-oN;Essa(GJ--krlJ@!2h6;ky)bob+>
zXr}m|ca1BwCqxvB8TqR`+#I#8X;-&h^bcMc?iY5;w=dnB^84D#pS@3f7oR#2ArTk#
z>dgPj9ks3hqC)q*`Dpz1%>so4vroURlv8bHE-%UYCv&ba(tX>B0!F8My5Yi!sqf;r
z)e;rG7Q7Qp-XHvpVTtLc$+GJwaQrziWzs9H;H}H^-8aW`u|Hezao+vIc5S%}etqE!
zeHP|3O`6{&(=xneoz|}l?{@vm;N?xZo#Oj7^x&q;J@(lv4kknu23|E?%2Bgbx#if-
zs$R`DZY||7-TAwn6)Qp)Y%@;1{UfxS_omtAgFC*6o(T`JKlS8X=!;L!Qhql(ez5+N
zC&jTL@3`HDPbxoad=(jAmEPGqPxzXd`qixa$Knn5C&=u~{<tDZ)1kQYTh#{%foW2F
zHPKeOM{N`o-QVf9%5gV^b=&$U)iV?vU;cHH;SYVEGUj>rk~BoWg-(4Txaj(|`t+pf
z7fwd4&96!CS``{I@1BO&r@x+Fw{Et+RB*YP5ULk$ka1~kCxdoEx^0MPvWKOIxAq&S
z4f<#2*zcV=d3M0LIoTZTYBP5h^h&L}mLf2x|H#h7<!<lt)46}Otp0d{?Q&CvgM7b%
zp~dI$Q^(ufe%QT~S;0GXACE)z$z$<z&UD{!yQ^nsHs^GWe$yeNrE3dJjkWyEJ|thB
zqtO5TRQe`Xz0MDchpx3gIQ}!L-}bcen{SC?Hg}Cn@92qTJW_ilwm7`!Dx<wz?&{b1
z-BHV*bS;?v>f5=`$!mnp{$5cVqIYXo;?d-vwnEIAyW^*1G(S_4RO0Yu3uUnEOE8eA
z<$cf_aOhUOfa|KFi-}S({2QX4bQXLOYcpDxy0AZef9qbKA6~k(+dnKjwCnS2YmXId
zUYyEoe_h$-KcBHYE2g!*@pG`N;KAB&O#FvUE9N_t7OoUK&Rm-9vVY3mwQE8m4ZX|F
zLcTsfRIsmae{@lbi5qYCd)Yl*M|MQrGj<hCI3et?$ah)9Qqv=%LRqtVUaGBFpS9@9
z`B^QQ#kWMgOXmEO@Uo8Lops~G#rjvt4rlr;jrRon*zEILTJ1~Zrr;y%Bkn8?_&;gV
z50yo)6fT`U{Xh0|+-z0(9fh$sc6D0L`&4e(c{F)~&da34WxcNUcU${q!nQMMZOC!+
zoZYZPhp8pbBmdV@U%hXCH(uR;WxDH)CC8@cb^iR|7jYw0sMEzeaC-6F6Ss`HJN^}9
zKKVMe=dth7!)h;H_D*#@d{{W{Ue=8{Z;r8ES#UJT`pnhHMHw&8b1l;8+O=C#``i(Z
z<+sHCTGnjK|M6-4T;}=a`i9+)j@34+29~b9l418RcW(4TZSTJN+USJ)wfj$O{H0ww
z`COqu>2YQIG}*Or%+HSbW`*|zW<FiDLt^IK!h@Th`?ysXWPSSZElTxd$rZ*ehaWm-
z-CuQ&?@Ncc_p*QAl7F1JdNf_=-?N^eb&>`18PX2l6q8_mGWo2Co^jH|=}xD!6|Wup
zcVVS>hvY;*-3jGc5?ecKoiErfIwg7a<y-byU9Y@4N;Itnc(y1^Fx(k>!$^0(oXgI@
zIp^nHXOm=Mo@OHSkzMp(vwEY-b~Xj+NA;6V#DB<ouRp8vT#BPs=aRp1aVKReBy!AK
z3KLwsvee{SrLJtXDr79#eaK~^l1<!(3LnqwyC(}2eqEOF_H>-(hv}L>_8GpoEMi^r
z?aXQiW(yOBnbS6jSGiYev$u0?WB-&`_E#pVg6C~2(^lQ{J1ZplSIjVa7`f}qS|R_{
z{H2LKTNdP-IfRKOOQ(8lPKunuwXDQce3Nr^?D=fH4wX5Rb&YN;_M4;9_x*gvT2cOI
z8x}SR@Utp}>Tfl^%z3M?AyKov?Dd*uMss$obDlLLxK{L(yv64`t~1qVc8gXP2|VI-
zzVka+>#1f7?}wI7p4@2(#jj6qOFq)@J>d79(wyr7xeq3EFPw0=Cnf9nwvsLSeF{Zt
zTHE$t+~~PJR%6FPw!Gup1f~>pneBYvYpw2=B$#|hSaZTQE3p@~i%v%QEqE4t``3EG
zsVWTLuiq)&zF~^Oe(i;GZ3E6+ov8T#?k@XfrV(c@B^=-I+<I>{>!qgearIL({!J?g
z`;+<q?!~Mhes(bu-*n_&OHH(}zLghYwJ|Hvy6o_QHK~qnPZ@ut|H+=I<1SP)Q_DCf
za@x*7zd*YO4;;j$mwhuWJH^5Cv2OlJi!2kiZC+by<5sOqmg`)p@_N=y<FgN#*^g8_
z5VQW>U;1#j+(W(#l}~*R8*EOP%^6p(9C^4UE;{aXVwT&|87dD>OqY4s!{Pn)>@|)%
zOB?OJr*&;Qsx6(aciA?3-Lfw;#I+TL#T3rmZp%0^`*nM9ldtDT)h`P5iRHVa?*{7x
zMISsQ@$!nSoZ^qf>~xvsK`WgSQ=R-aPCj?n^ifjjzUxzC3-__*bnwmW<CSV!ugmh&
zyyAnH%UceQof&g(PKZ(awf|fRrw@ze^O7mTN0t_fO)~LYwohrP@1wPvi@R+5!e-tK
zc=uTGK>zQ!uCG6|cii4@es(R(sXo(puk(JbE94B`Gnb=QO6K{jOsiFirw%WhP*wC^
zXh%&Kqp`oOr+@ol{-a{v=QH`Q9`N2;QF-QJkB!?zvnzog%~S4sz5W;F*<fh@D1mFj
zsvikI-+TPDO#14-{bA`@VdaZDkE^zC%&cxO4n8vJa#8BOw&Kl^izjftf7d^kK`u<c
z%>L-xzt1nkJmryl5cEEF`TH|^wLx#Hm5P2GTb8`DPSq&TDPoasld;>08>!Xz&i+4@
by!1n;Hk<vAJ1yysHO#Z_^2|y%ve5+q<oq#<

literal 0
HcmV?d00001

diff --git a/users/tazjin/secrets/secrets.nix b/users/tazjin/secrets/secrets.nix
index 12f12f721..a29bd30b7 100644
--- a/users/tazjin/secrets/secrets.nix
+++ b/users/tazjin/secrets/secrets.nix
@@ -13,4 +13,5 @@ in
   "geesefs-tazjins-files.age".publicKeys = allKeys;
   "miniflux.age".publicKeys = allKeys;
   "tgsa-yandex.age".publicKeys = allKeys;
+  "lego-yandex.age".publicKeys = allKeys;
 }