From 2a282146107b7f5a0dad5a4a984648a9ce78a0ac Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Thu, 4 Dec 2025 22:46:52 +0100
Subject: [PATCH 1/7] fix http challenge

---
 services/nginx.nix | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/services/nginx.nix b/services/nginx.nix
index e8c1f7b..f89d339 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -24,7 +24,8 @@ in
       quic = true;
       kTLS = true;
       forceSSL = true;
-      useACMEHost = fqdn;
+      #useACMEHost = fqdn;
+      enableACME = true;
       listen = [
         {
           addr = "0.0.0.0";
@@ -48,7 +49,7 @@ in
         }
       ];
       locations = {
-        "/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
+        #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
         "/".return = "418 \"I'm a Teapot!\"";
         "= /.well-known/matrix/client" = {
           return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'";
@@ -70,7 +71,7 @@ in
     };
   };
 
-  security.acme.certs."${fqdn}" = {
-    reloadServices = [ "nginx" ];
-  };
+  #security.acme.certs."${fqdn}" = {
+  #  reloadServices = [ "nginx" ];
+  #};
 }

From 4ed9dc41b1cabaadecd07a458416ce6fe262aa6e Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Thu, 4 Dec 2025 22:49:01 +0100
Subject: [PATCH 2/7] fix http challenge

---
 configuration.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/configuration.nix b/configuration.nix
index 404c171..3b202e0 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -146,7 +146,6 @@
         renewInterval = "daily";
         email = "acme@xengi.de";
         group = "nginx";
-        webroot = "/var/lib/acme/acme-challenges";
       };
     };
   };

From bd3477cd55583a09a53666f95ee39d38082c1463 Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Thu, 4 Dec 2025 23:01:38 +0100
Subject: [PATCH 3/7] fix nginx

---
 services/nginx.nix | 44 ++++++++++++++++++++++----------------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/services/nginx.nix b/services/nginx.nix
index f89d339..8b79a57 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -26,28 +26,28 @@ in
       forceSSL = true;
       #useACMEHost = fqdn;
       enableACME = true;
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 443;
-          ssl = true;
-        }
-        {
-          addr = "[::]";
-          port = 443;
-          ssl = true;
-        }
-        {
-          addr = "0.0.0.0";
-          port = 8448;
-          ssl = true;
-        }
-        {
-          addr = "[::]";
-          port = 8448;
-          ssl = true;
-        }
-      ];
+      #listen = [
+      #  {
+      #    addr = "0.0.0.0";
+      #    port = 443;
+      #    ssl = true;
+      #  }
+      #  {
+      #    addr = "[::]";
+      #    port = 443;
+      #    ssl = true;
+      #  }
+      #  {
+      #    addr = "0.0.0.0";
+      #    port = 8448;
+      #    ssl = true;
+      #  }
+      #  {
+      #    addr = "[::]";
+      #    port = 8448;
+      #    ssl = true;
+      #  }
+      #];
       locations = {
         #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
         "/".return = "418 \"I'm a Teapot!\"";

From 21bd6d4f9f7abb128084de025b3a657d895ccc94 Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Thu, 4 Dec 2025 23:24:04 +0100
Subject: [PATCH 4/7] add health check

---
 services/nginx.nix | 37 +------------------------------------
 1 file changed, 1 insertion(+), 36 deletions(-)

diff --git a/services/nginx.nix b/services/nginx.nix
index 8b79a57..24c02a3 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -24,41 +24,10 @@ in
       quic = true;
       kTLS = true;
       forceSSL = true;
-      #useACMEHost = fqdn;
       enableACME = true;
-      #listen = [
-      #  {
-      #    addr = "0.0.0.0";
-      #    port = 443;
-      #    ssl = true;
-      #  }
-      #  {
-      #    addr = "[::]";
-      #    port = 443;
-      #    ssl = true;
-      #  }
-      #  {
-      #    addr = "0.0.0.0";
-      #    port = 8448;
-      #    ssl = true;
-      #  }
-      #  {
-      #    addr = "[::]";
-      #    port = 8448;
-      #    ssl = true;
-      #  }
-      #];
       locations = {
-        #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
         "/".return = "418 \"I'm a Teapot!\"";
-        "= /.well-known/matrix/client" = {
-          return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'";
-          extraConfig = ''
-            default_type application/json;
-            add_header Access-Control-Allow-Origin "*";
-          '';
-        };
-        "~ ^(/_matrix|/_synapse/client)" = {
+        "~ ^(/_matrix|/_synapse/client|/health)" = {
           recommendedProxySettings = true;
           proxyPass = "http://[::1]:8008";
           extraConfig = ''
@@ -70,8 +39,4 @@ in
       };
     };
   };
-
-  #security.acme.certs."${fqdn}" = {
-  #  reloadServices = [ "nginx" ];
-  #};
 }

From 288b50d9936385df83f74585e4c8d5b471d80efe Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Thu, 4 Dec 2025 23:27:30 +0100
Subject: [PATCH 5/7] remove /health

---
 services/nginx.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/nginx.nix b/services/nginx.nix
index 24c02a3..acaff25 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -27,7 +27,7 @@ in
       enableACME = true;
       locations = {
         "/".return = "418 \"I'm a Teapot!\"";
-        "~ ^(/_matrix|/_synapse/client|/health)" = {
+        "~ ^(/_matrix|/_synapse/client)" = {
           recommendedProxySettings = true;
           proxyPass = "http://[::1]:8008";
           extraConfig = ''

From c457ef602a2a519d6bf923dc6dc02c18c9b44ecd Mon Sep 17 00:00:00 2001
From: xengi <email@ricardo.band>
Date: Fri, 5 Dec 2025 10:18:21 +0100
Subject: [PATCH 6/7] Update README.md

Signed-off-by: xengi <email@ricardo.band>
---
 README.md | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index f295fe6..bde01f5 100644
--- a/README.md
+++ b/README.md
@@ -13,20 +13,30 @@ server {
   hostname berlin.ccc.de;
   location "/.well-known/matrix/server" {
     default_type application/json;
+    add_header Access-Control-Allow-Origin "*";
     return 200 '{"m.server":"matrix.berlin.ccc.de:443"}';
   }
+  location "/.well-known/matrix/client" {
+    default_type application/json;
+    add_header Access-Control-Allow-Origin "*";
+    return 200 '{"m.homeserver": {"base_url": "https://matrix.berlin.ccc.de"}}';
+  }
 }
 ```
 
 # DNS
 
 ```
-_matrix-fed._tcp.matrix.berlin.ccc.de.  IN SRV  10 0 443 matrix.berlin.ccc.de.
-#_matrix._tcp.matrix.berlin.ccc.de.     IN SRV  10 0 443 matrix.berlin.ccc.de.
-#_matrix._tcp.berlin.ccc.de.            IN SRV  10 0 443 matrix.berlin.ccc.de.
-_matrix-fed._tcp.berlin.ccc.de.         IN SRV  10 0 443 matrix.berlin.ccc.de.
-matrix.berlin.ccc.de.                   IN A     <IPv4>
-matrix.berlin.ccc.de.                   IN AAAA  <IPv6>
+_matrix-fed._tcp.berlin.ccc.de.  IN SRV    10 0 443 matrix.berlin.ccc.de.
+_matrix-fed._tcp.berlin.ccc.de.  IN SRV    10 0 443 matrix.berlin.ccc.de.
+matrix.berlin.ccc.de.            IN A      195.160.173.25
+matrix.berlin.ccc.de.            IN AAAA   2001:678:760:cccb::25
+matrix.berlin.ccc.de.            IN CAA    0 issue "letsencrypt.org;validationmethods=http-01"
+matrix.berlin.ccc.de.            IN CAA    0 iodef "mailto:caa@xengi.de"
+matrix.berlin.ccc.de.            IN SSHFP  1 1 f40e117b002957939a454070adbbafe42d6f5842
+matrix.berlin.ccc.de.            IN SSHFP  1 2 8ba0c605a365ef5369e91c531dd86fabfe4ce6dbd5e8280093ec2672d67c329b
+matrix.berlin.ccc.de.            IN SSHFP  4 1 62d10fa57f8a1aa7469cd9b00621e4ce89261d91
+matrix.berlin.ccc.de.            IN SSHFP  4 2 ca80a6685984da140ac850e4951fa31e70b616e87f62f46437af3bfd215af887
 ```
 
 # Bots

From 3b84ac33f0bbdbc2acd657dd05826a18a5b3a31d Mon Sep 17 00:00:00 2001
From: xengi <email@ricardo.band>
Date: Fri, 5 Dec 2025 10:18:41 +0100
Subject: [PATCH 7/7] Update README.md

Signed-off-by: xengi <email@ricardo.band>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index bde01f5..e608ad8 100644
--- a/README.md
+++ b/README.md
@@ -26,7 +26,7 @@ server {
 
 # DNS
 
-```
+```dns
 _matrix-fed._tcp.berlin.ccc.de.  IN SRV    10 0 443 matrix.berlin.ccc.de.
 _matrix-fed._tcp.berlin.ccc.de.  IN SRV    10 0 443 matrix.berlin.ccc.de.
 matrix.berlin.ccc.de.            IN A      195.160.173.25