From ca6e91a0ab335bae928c7f8782ba5ae086cd925f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Tue, 3 Feb 2026 05:16:22 +0100
Subject: [PATCH] fixup! pki: add new vault root ca to pki

---
 hosts/vaulttest01/configuration.nix | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/hosts/vaulttest01/configuration.nix b/hosts/vaulttest01/configuration.nix
index 76342ff..fae5005 100644
--- a/hosts/vaulttest01/configuration.nix
+++ b/hosts/vaulttest01/configuration.nix
@@ -105,6 +105,24 @@
     };
   };
 
+  # Test ACME certificate issuance from OpenBao PKI
+  # Override the global ACME server to use OpenBao instead of step-ca
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      server = "https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory";
+      email = "root@home.2rjus.net";
+      dnsPropagationCheck = false;
+    };
+  };
+
+  # Request a certificate for this host
+  # Using HTTP-01 challenge with standalone listener on port 80
+  security.acme.certs."vaulttest01.home.2rjus.net" = {
+    listenHTTP = ":80";
+    enableDebugLogs = true;
+  };
+
   system.stateVersion = "25.11"; # Did you read the comment?
 }