cluster/services/certificates: init, add internal wildcard cert

cluster/services/certificates/default.nix

@@ -0,0 +1,12 @@
+{
+  services.certificates = {
+    nodes = {
+      internal-wildcard = [ "checkmate" "VEGAS" ];
+    };
+    nixos = {
+      internal-wildcard = [
+        ./internal-wildcard.nix
+      ];
+    };
+  };
+}

cluster/services/certificates/internal-wildcard.nix

@@ -0,0 +1,14 @@
+{ tools, ... }:
+
+let
+  inherit (tools.meta) domain;
+in
+
+{
+  security.acme.certs."internal.${domain}" = {
+    domain = "*.internal.${domain}";
+    extraDomainNames = [ "*.internal.${domain}" ];
+    dnsProvider = "pdns";
+    group = "nginx";
+  };
+}