From 5e7c46a4e96150bf22b674d671362ada79a2247d Mon Sep 17 00:00:00 2001
From: stuebinm <stuebinm@disroot.org>
Date: Thu, 7 Oct 2021 18:04:25 +0200
Subject: [PATCH] wildcard dns with ACME
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

this is just me procrastinating …

(not tested, not deployed – we don't actually own i4f.de)
---
 services/shortdomains.nix | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/services/shortdomains.nix b/services/shortdomains.nix
index a1e75f8..36f7d08 100644
--- a/services/shortdomains.nix
+++ b/services/shortdomains.nix
@@ -2,17 +2,6 @@
 
 let
   shortdomain = "i4f.de";
-  short = name: target: {
-    inherit name target;
-  };
-  toVirtualHosts = {name, target, ...}: {
-    name = "${name}.${shortdomain}";
-    value = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/".return = "302 https://${target}$request_uri";
-    };
-  };
   redirects = [
     (short "d" "discuss.infra4future.de")
     (short "m" "mattermost.infra4future.de")
@@ -20,8 +9,27 @@ let
     (short "s" "survey.infra4future.de")
     (short "g" "gitlab.infra4future.de")
   ];
+
+
+  short = name: target: {
+    inherit name target;
+  };
+  toVirtualHosts = {name, target, ...}: {
+    name = "${name}.${shortdomain}";
+    value = {
+      forceSSL = true;
+      useACMEHost = "*.i4f.de";
+      locations."/".return = "302 https://${target}$request_uri";
+    };
+  };
 in
 {
+  security.acme.certs."wildcard.i4f.de" = {
+    domain = "*.i4f.de";
+    dnsProvider = "cloudflare";
+    credentialsFile = "/persist/var/shortdomains/dns-secrents.env";
+  };
+
   services.nginx.virtualHosts =
     lib.listToAttrs (map toVirtualHosts redirects)
     // {