From a20746490ac137c45253117f9d20cdc9a932d8b6 Mon Sep 17 00:00:00 2001
From: Bloxx12 <charlie@charlieroot.dev>
Date: Thu, 22 May 2025 09:44:38 +0200
Subject: [PATCH] acme: init

---
 modules/services/acme/module.nix    | 34 +++++++++++++++++++++++++++++
 modules/services/forgejo/module.nix | 28 ++++++++++++------------
 2 files changed, 48 insertions(+), 14 deletions(-)
 create mode 100644 modules/services/acme/module.nix

diff --git a/modules/services/acme/module.nix b/modules/services/acme/module.nix
new file mode 100644
index 0000000..1aa1837
--- /dev/null
+++ b/modules/services/acme/module.nix
@@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  acmeRoot = "/var/lib/acme/challenges";
+
+  mkAcmeCert = domain: {
+    # An acme system user is created. This user belongs to the acme group
+    # and the home directory is /var/lib/acme. This user will try to make the directory
+    # .well-known/acme-challenge/ under the webroot directory.
+    webroot = "${acmeRoot}-${domain}";
+
+    # email to send updates to, we prefix "acme" and the
+    #  name of the domain the certificate is for to it.
+    email = "acme+${domain}+charlie@charlieroot.dev";
+    group = "nginx";
+  };
+in {
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "charlie@charlieroot.dev";
+      # testing server, do not use in production, but DO use it for setting things up.
+      # it has much higher rate limits.
+      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+    };
+    # certs = {
+    #   "copeberg.org" = mkAcmeCert "copeberg.org";
+    #   "info.copeberg.org" = mkAcmeCert "info.copeberg.org";
+    # };
+  };
+}
diff --git a/modules/services/forgejo/module.nix b/modules/services/forgejo/module.nix
index bbc4de4..cd52784 100644
--- a/modules/services/forgejo/module.nix
+++ b/modules/services/forgejo/module.nix
@@ -43,20 +43,20 @@ in {
       };
     };
 
-    security.acme = let
-      email = "charlie@charlieroot.dev";
-    in {
-      # testing server, do not use in production, but DO use it for setting things up.
-      # it has much higher rate limits.
-      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
-      certs = {
-        ${domain} = {
-          webroot = acmeRoot;
-          inherit email;
-          group = "nginx";
-        };
-      };
-    };
+    # security.acme = let
+    #   email = "charlie@charlieroot.dev";
+    # in {
+    #   # testing server, do not use in production, but DO use it for setting things up.
+    #   # it has much higher rate limits.
+    #   # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+    #   certs = {
+    #     ${domain} = {
+    #       webroot = acmeRoot;
+    #       inherit email;
+    #       group = "nginx";
+    #     };
+    #   };
+    # };
 
     # create the git user for forgejo
     # NOTE: this is important and it will _not_ work otherwise.