fixup! pki: add new vault root ca to pki

services/vault/default.nix

@@ -195,6 +195,8 @@ in
     SupplementaryGroups = [ "acme" ];
   };
 
+  # ACME certificate management
+  # Bootstrapped with bootstrap-vault-cert, now managed by ACME
   security.acme.certs."vault01.home.2rjus.net" = {
     server = "https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory";
     listenHTTP = ":80";

terraform/vault/pki.tf

@@ -62,6 +62,13 @@ resource "vault_mount" "pki_int" {
   description               = "Intermediate CA"
   default_lease_ttl_seconds = 157680000 # 5 years
   max_lease_ttl_seconds     = 157680000 # 5 years
+
+  # Required for ACME support - allow ACME-specific response headers
+  allowed_response_headers = [
+    "Replay-Nonce",
+    "Link",
+    "Location"
+  ]
 }
 
 resource "vault_pki_secret_backend_intermediate_cert_request" "intermediate" {
@@ -139,6 +146,33 @@ resource "vault_pki_secret_backend_config_urls" "config_urls" {
   ]
 }
 
+# Configure cluster path (required for ACME)
+resource "vault_pki_secret_backend_config_cluster" "cluster" {
+  backend  = vault_mount.pki_int.path
+  path     = "${var.vault_address}/v1/${vault_mount.pki_int.path}"
+  aia_path = "${var.vault_address}/v1/${vault_mount.pki_int.path}"
+}
+
+# Enable ACME support
+resource "vault_generic_endpoint" "acme_config" {
+  depends_on = [
+    vault_pki_secret_backend_config_cluster.cluster,
+    vault_pki_secret_backend_role.homelab
+  ]
+
+  path                 = "${vault_mount.pki_int.path}/config/acme"
+  ignore_absent_fields = true
+  disable_read         = true
+  disable_delete       = true
+
+  data_json = jsonencode({
+    enabled                  = true
+    allowed_issuers          = ["*"]
+    allowed_roles            = ["*"]
+    default_directory_policy = "sign-verbatim"
+  })
+}
+
 # ============================================================================
 # Direct Certificate Issuance (Non-ACME)
 # ============================================================================