From 903f44edc3c4a0e07637573dccaf07435f6348f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Tue, 3 Feb 2026 06:06:38 +0100
Subject: [PATCH] fixup! pki: add new vault root ca to pki

---
 services/vault/default.nix | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/services/vault/default.nix b/services/vault/default.nix
index 33b9aa5..d0b4d6a 100644
--- a/services/vault/default.nix
+++ b/services/vault/default.nix
@@ -99,10 +99,11 @@ let
       # ACME certificate directory
       CERT_DIR="/var/lib/acme/vault01.home.2rjus.net"
 
-      # Issue certificate for vault01
-      echo "Issuing certificate for vault01.home.2rjus.net..."
+      # Issue certificate for vault01 with vault as SAN
+      echo "Issuing certificate for vault01.home.2rjus.net (with SAN: vault.home.2rjus.net)..."
       OUTPUT=$(bao write -format=json pki_int/issue/homelab \
         common_name="vault01.home.2rjus.net" \
+        alt_names="vault.home.2rjus.net" \
         ttl="720h")
 
       # Create ACME directory structure
@@ -140,6 +141,9 @@ let
       echo ""
       echo "Certificate details:"
       openssl x509 -in "$CERT_DIR/cert.pem" -noout -subject -issuer -dates
+      echo ""
+      echo "Subject Alternative Names:"
+      openssl x509 -in "$CERT_DIR/cert.pem" -noout -ext subjectAltName
 
       echo ""
       echo "Now restart openbao service:"
@@ -195,6 +199,6 @@ in
     server = "https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory";
     listenHTTP = ":80";
     reloadServices = [ "openbao" ];
-    # extraDomainNames = [ "vault.home.2rjus.net" ];
+    extraDomainNames = [ "vault.home.2rjus.net" ];
   };
 }