From 5c1742e13f88a4d145759906134176460c67f2de Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <hg@lukegb.com>
Date: Wed, 10 Aug 2022 01:51:46 +0100
Subject: [PATCH] depotwide: add google-cloudflare role

---
 nix/pkgs/vault-acme/default.nix   | 4 ++--
 ops/nixos/lib/secretsmgr-acme.nix | 2 +-
 ops/nixos/totoro/default.nix      | 2 +-
 ops/vault/cfg/acme-ca.nix         | 2 ++
 4 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/nix/pkgs/vault-acme/default.nix b/nix/pkgs/vault-acme/default.nix
index f156529d79..ec7bc82da4 100644
--- a/nix/pkgs/vault-acme/default.nix
+++ b/nix/pkgs/vault-acme/default.nix
@@ -15,8 +15,8 @@ buildGoModule rec {
   src = fetchFromGitHub {
     owner = "lukegb";
     repo = pname;
-    rev = "c93a5466c09e2198483928e4931e31f2a3cee753";
-    sha256 = "sha256:1yik8vx4d9c8qcxrrab0j1vxzcs1qnfgpi62n6rqv2sy19k0kybz";
+    rev = "d128cded9a4f96b0c6784f13c6ff6d077f6688da";
+    sha256 = "sha256:0yp8nmzp0cfqxh0r6qls0mwz9myaskb3q5qwcwx6gcm2wrwidi84";
   };
 
   patches = [ ./just-add-a-sleep.patch ];
diff --git a/ops/nixos/lib/secretsmgr-acme.nix b/ops/nixos/lib/secretsmgr-acme.nix
index da69d275c5..c85d2e8a3d 100644
--- a/ops/nixos/lib/secretsmgr-acme.nix
+++ b/ops/nixos/lib/secretsmgr-acme.nix
@@ -51,7 +51,7 @@ in
 
         role = mkOption { 
           type = str;
-          default = "letsencrypt-cloudflare";
+          default = "google-cloudflare";
           description = "Which role to use for certificate issuance.";
         };
 
diff --git a/ops/nixos/totoro/default.nix b/ops/nixos/totoro/default.nix
index 55ea6b6f21..e6d39f2ae8 100644
--- a/ops/nixos/totoro/default.nix
+++ b/ops/nixos/totoro/default.nix
@@ -506,7 +506,7 @@ in {
       ExecStart = "${depot.ops.raritan.ssl-renew}/lego.sh";
       EnvironmentFile = pkgs.writeText "sslrenew-secret" ''
         CERTIFICATE_DOMAIN=kvm.lukegb.xyz
-        CERTIFICATE_ROLE=letsencrypt-cloudflare
+        CERTIFICATE_ROLE=google-cloudflare
         RARITAN_IP=192.168.1.50
         RARITAN_USERNAME=${secrets.raritan.sslrenew.username}
         RARITAN_PASSWORD=${secrets.raritan.sslrenew.password}
diff --git a/ops/vault/cfg/acme-ca.nix b/ops/vault/cfg/acme-ca.nix
index 312dc1eabe..67776ac8fb 100644
--- a/ops/vault/cfg/acme-ca.nix
+++ b/ops/vault/cfg/acme-ca.nix
@@ -44,5 +44,7 @@
 
     letsencrypt-gcloud-as205479.allowed_domains = gcloudDomains;
     letsencrypt-staging-gcloud-as205479.allowed_domains = gcloudDomains;
+
+    google-cloudflare.allowed_domains = cloudflareDomains;
   };
 }