wildcard dns with ACME

this is just me procrastinating …

(not tested, not deployed – we don't actually own i4f.de)

services/shortdomains.nix

@@ -2,17 +2,6 @@
 
 let
   shortdomain = "i4f.de";
-  short = name: target: {
-    inherit name target;
-  };
-  toVirtualHosts = {name, target, ...}: {
-    name = "${name}.${shortdomain}";
-    value = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/".return = "302 https://${target}$request_uri";
-    };
-  };
   redirects = [
     (short "d" "discuss.infra4future.de")
     (short "m" "mattermost.infra4future.de")
@@ -20,8 +9,27 @@ let
     (short "s" "survey.infra4future.de")
     (short "g" "gitlab.infra4future.de")
   ];
+
+
+  short = name: target: {
+    inherit name target;
+  };
+  toVirtualHosts = {name, target, ...}: {
+    name = "${name}.${shortdomain}";
+    value = {
+      forceSSL = true;
+      useACMEHost = "*.i4f.de";
+      locations."/".return = "302 https://${target}$request_uri";
+    };
+  };
 in
 {
+  security.acme.certs."wildcard.i4f.de" = {
+    domain = "*.i4f.de";
+    dnsProvider = "cloudflare";
+    credentialsFile = "/persist/var/shortdomains/dns-secrents.env";
+  };
+
   services.nginx.virtualHosts =
     lib.listToAttrs (map toVirtualHosts redirects)
     // {