---
# 1. cert-manager Helm chart
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: cert-manager
  namespace: argocd
spec:
  project: default
  source:
    repoURL: "https://charts.jetstack.io"
    chart: "cert-manager"
    targetRevision: "v1.18.2"
    helm:
      releaseName: "cert-manager"
      values: |
        installCRDs: true
        extraArgs:
          - --dns01-recursive-nameservers-only
          - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
  destination:
    server: "https://kubernetes.default.svc"
    namespace: home-server
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
      - SkipHooks=false
      - SyncWave=0   # ensure cert-manager is installed first

---
# 2. ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-rfc2136
spec:
  acme:
    email: admin@hxme.net
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-rfc2136
    solvers:
      - dns01:
          rfc2136:
            nameserver: hawke.hxst.com.au:53
            tsigKeyName: "hxme-update-key"
            tsigAlgorithm: HMACSHA512
            tsigSecretSecretRef:
              name: hxme-update-key
              key: hxme-update-key

---
# 3. Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-hxme-net
  namespace: home-server
spec:
  secretName: wildcard-hxme-net
  secretTemplate:
    annotations:
      replicator.v1.mittwald.de/replication-allowed: "true"
      replicator.v1.mittwald.de/replicate-to: "home-media"
  issuerRef:
    name: letsencrypt-rfc2136
    kind: ClusterIssuer
  commonName: "hxme.net"
  dnsNames:
    - "hxme.net"
    - "*.hxme.net"