profile/acme: default DNS provider is gandi

Add the API key for gandi to the secrest, create a profile for acme with
my defaults.

The profile is loaded by tahoe since that's where our services are
running on.

Update all the servers in nginx to listen on their wireguard interface.

4 files changed, 21 insertions, 5 deletions

diff --git a/hosts/tahoe/default.nix b/hosts/tahoe/default.nix
index cfa3717..6fb5fcb 100644
--- a/hosts/tahoe/default.nix
+++ b/hosts/tahoe/default.nix
@@ -9,6 +9,7 @@ in
     ./networking.nix
     ./services.nix
     "${self}/profiles/nas.nix"
+    "${self}/profiles/acme.nix"
     "${self}/profiles/hardware/amd.nix"
   ];
 
diff --git a/hosts/tahoe/secrets/gandi/apikey.age b/hosts/tahoe/secrets/gandi/apikey.age
new file mode 100644
index 0000000..3f35522
--- /dev/null
+++ b/hosts/tahoe/secrets/gandi/apikey.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 jMYhTKmWi5riTgT9QQVOlzlIegqM1MI2QtJbOonsL2E
+bM9xqcJc41bKs0as9lIQQQGZhB5cmaZtO1fHCsrMR9M
+-> X25519 3xMvuIuRGXBp/gbv+aZpjkp6wLw6hyRAqBIe/Pf+Szo
+2X45mDvLNcDOntT4JgZUFHpnlShm3UYv7gCpHGaj4Fo
+-> X25519 xemfO0+4pS8WG/7QoIIqULZ/xN+C0l+LbBgv4QIdcQU
+VfoMT93/3hTZdPo4ALCaEZrIO3bHhsoxCwf6DyXPwvI
+-> s06@-grease .@\9Og@9 7yCI nS'`(65/
+W1seHOnAnPFF8BB6uqQKv8JwpmoNCU93i06VtxuuHiaeGrlXNPiF0ikD/mysdA
+--- dpDFFk5ZPUwQZp96fpS85eZCVELD4GB1uwl/8ev5moA
+��⇼�?�Z�u�����>��x��3d[s�Lٵ
��)�|[��z��1#�c�Ѩ���3B�HLw҂�]$�.
\ No newline at end of file
diff --git a/hosts/tahoe/secrets/secrets.nix b/hosts/tahoe/secrets/secrets.nix
index 34b955b..0560a57 100644
--- a/hosts/tahoe/secrets/secrets.nix
+++ b/hosts/tahoe/secrets/secrets.nix
@@ -28,6 +28,11 @@ in
     owner = "unpoller-exporter";
   };
 
+  "gandi/apikey.age" = {
+    publicKeys = all;
+    owner = "acme";
+  };
+
   "restic/repo-systems.age".publicKeys = all;
   "rsync.net/ssh-key.age".publicKeys = all;
 
diff --git a/hosts/tahoe/services.nix b/hosts/tahoe/services.nix
index a04225e..0227f4c 100644
--- a/hosts/tahoe/services.nix
+++ b/hosts/tahoe/services.nix
@@ -1,8 +1,7 @@
-{ config, ... }:
+{ self, config, ... }:
 let secrets = config.age.secrets;
 in
 {
-
   # this unit is broken and useless. I don't know how to not install
   # it, so let's mask it.
   systemd.services.mdmonitor.enable = false;
@@ -14,12 +13,12 @@ in
     };
     navidrome = {
       enable = true;
-      vhostName = "music.fcuny.xyz";
+      vhostName = "music.${config.homelab.domain}";
       musicFolder = "/data/fast/music";
     };
     unifi = {
       enable = true;
-      vhostName = "unifi.fcuny.xyz";
+      vhostName = "unifi.${config.homelab.domain}";
     };
 
     monitoring = {
@@ -33,7 +32,7 @@ in
       };
       grafana = {
         enable = true;
-        vhostName = "dash.fcuny.xyz";
+        vhostName = "dash.${config.homelab.domain}";
       };
       promtail.enable = true;
       node-exporter.enable = true;