From ea94303f03686f0ab75dbac981c5b7c439c50d8b Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Thu, 4 Dec 2025 15:14:37 +0100
Subject: [PATCH] enable acme http challenge

---
 configuration.nix  | 2 +-
 services/nginx.nix | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/configuration.nix b/configuration.nix
index ed0d5e2..404c171 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -146,7 +146,7 @@
         renewInterval = "daily";
         email = "acme@xengi.de";
         group = "nginx";
-        webroot = "/var/lib/acme/acme-challenge";
+        webroot = "/var/lib/acme/acme-challenges";
       };
     };
   };
diff --git a/services/nginx.nix b/services/nginx.nix
index 8d79b53..e8c1f7b 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -4,6 +4,8 @@ let
   fqdn = "matrix.berlin.ccc.de";
 in
 {
+  users.users.nginx.extraGroups = [ "acme" ];
+
   services.nginx = {
     enable = true;
     resolver.addresses = [
@@ -46,6 +48,7 @@ in
         }
       ];
       locations = {
+        "/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
         "/".return = "418 \"I'm a Teapot!\"";
         "= /.well-known/matrix/client" = {
           return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'";
@@ -67,5 +70,7 @@ in
     };
   };
 
-  security.acme.certs."${fqdn}".reloadServices = [ "nginx" ];
+  security.acme.certs."${fqdn}" = {
+    reloadServices = [ "nginx" ];
+  };
 }