From de36b9d01641847e598c3962db77e7786786569a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sun, 8 Feb 2026 03:29:54 +0100
Subject: [PATCH] kanidm: add hostname SAN to ACME certificate

Include both auth.home.2rjus.net (CNAME) and kanidm01.home.2rjus.net
(A record) as SANs in the TLS certificate. This fixes Prometheus
scraping which connects via the hostname, not the CNAME.

Fixes: x509: certificate is valid for auth.home.2rjus.net, not kanidm01.home.2rjus.net

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 services/kanidm/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/services/kanidm/default.nix b/services/kanidm/default.nix
index ad45c39..69a57d1 100644
--- a/services/kanidm/default.nix
+++ b/services/kanidm/default.nix
@@ -39,9 +39,11 @@
   users.users.kanidm.extraGroups = [ "acme" ];
 
   # ACME certificate from internal CA
+  # Include both the CNAME (auth) and A record (kanidm01) for Prometheus scraping
   security.acme.certs."auth.home.2rjus.net" = {
     listenHTTP = ":80";
     reloadServices = [ "kanidm" ];
+    extraDomainNames = [ "${config.networking.hostName}.home.2rjus.net" ];
   };
 
   # Vault secret for idm_admin password