switch to wildcard certs

config/hosts/wind/services/acme.nix

@@ -5,25 +5,10 @@
     acceptTerms = true;
     email = "admin+certs@graven.dev";
     certs."graven.dev" = {
+      extraDomainNames = "*.graven.dev";
       dnsProvider = "hurricane";
       credentialsFile = config.secrets.files.acme_graven_dev.file;
     };
-    certs."turn.graven.dev" = {
-      dnsProvider = "hurricane";
-      credentialsFile = config.secrets.files.acme_turn_graven_dev.file;
-    };
-    certs."rss.graven.dev" = {
-      dnsProvider = "hurricane";
-      credentialsFile = config.secrets.files.acme_rss_graven_dev.file;
-    };
-    certs."git.graven.dev" = {
-      dnsProvider = "hurricane";
-      credentialsFile = config.secrets.files.acme_git_graven_dev.file;
-    };
-    certs."vault.graven.dev" = {
-      dnsProvider = "hurricane";
-      credentialsFile = config.secrets.files.acme_vault_graven_dev.file;
-    };
   };
 }
 

config/hosts/wind/services/coturn.nix

@@ -17,8 +17,8 @@
     no-multicast-peers
     ";
     secure-stun = true;
-    cert = "/var/lib/acme/turn.graven.dev/fullchain.pem";
+    cert = "/var/lib/acme/graven.dev/fullchain.pem";
-    pkey = "/var/lib/acme/turn.graven.dev/key.pem";
+    pkey = "/var/lib/acme/graven.dev/key.pem";
     min-port = 49152;
     max-port = 49999;
   };

config/hosts/wind/services/nginx.nix

@@ -60,17 +60,17 @@
         };
       };
       "rss.graven.dev" = {
-        useACMEHost = "rss.graven.dev";
+        useACMEHost = "graven.dev";
         forceSSL = true;
       };
       "git.graven.dev" = {
-        useACMEHost = "git.graven.dev";
+        useACMEHost = "graven.dev";
         forceSSL = true;
         locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
       };
       "vault.graven.dev" = {
         forceSSL = true;
-        useACMEHost = "vault.graven.dev";
+        useACMEHost = "graven.dev";
         locations."/" = {
           proxyPass = "http://localhost:8812";
           proxyWebsockets = true;