From 2063550f93290248470014544ced9040303217eb Mon Sep 17 00:00:00 2001
From: Romain Paquet <rpqt@rpqt.fr>
Date: Mon, 5 Jan 2026 21:42:17 +0100
Subject: [PATCH] setup internal CA

---
 clan/network.nix | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/clan/network.nix b/clan/network.nix
index 37d00bc..be7255f 100644
--- a/clan/network.nix
+++ b/clan/network.nix
@@ -33,16 +33,17 @@
     };
   };
 
-  # clan.inventory.instances.certificates = {
-  #   module.name = "certificates";
-  #   module.input = "clan-core";
+  clan.inventory.instances.certificates = {
+    module.name = "certificates";
+    module.input = "clan-core";
 
-  #   roles.ca.machines.verbena = {
-  #     settings.acmeEmail = "admin@rpqt.fr";
-  #   };
-  #   roles.default.tags.all = { };
-  #   roles.default.settings.acmeEmail = "admin@rpqt.fr";
-  # };
+    roles.ca.machines.verbena = {
+      settings.acmeEmail = "admin@rpqt.fr";
+      settings.tlds = [ "val" ];
+    };
+    roles.default.tags.all = { };
+    roles.default.settings.acmeEmail = "admin@rpqt.fr";
+  };
 
   # Temporarily patched version of clan-core/coredns for AAAA records support
   clan.inventory.instances.coredns = {
@@ -57,7 +58,14 @@
       settings.ip = "fd28:387a:90:c400:6db2:dfc3:c376:9956";
     };
     roles.server.settings = {
-      tld = "home.rpqt.fr";
+      tld = "val";
+    };
+
+    roles.default.machines.verbena.settings = {
+      ip = "fd28:387a:90:c400::1";
+      services = [
+        "ca"
+      ];
     };
 
     roles.default.machines.genepi.settings = {