From 91b76ba49c63ca56416ca8465d7965a4451e2875 Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Mon, 14 Jul 2025 18:41:21 +0200
Subject: [PATCH] feat: acme over nginx

---
 hosts/hitsugibune/matrix.nix | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/hosts/hitsugibune/matrix.nix b/hosts/hitsugibune/matrix.nix
index c377826..86ab4f2 100644
--- a/hosts/hitsugibune/matrix.nix
+++ b/hosts/hitsugibune/matrix.nix
@@ -42,9 +42,18 @@ in {
   };
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
+  services.nginx.virtualHosts.${config.services.coturn.realm} = {
+  addSSL = true;
+  enableACME = false; # we’ll do ACME ourselves
+  forceSSL = false;
+  locations."/.well-known/acme-challenge/" = {
+    root = "/var/lib/acme/acme-challenges";
+  };
+};
+
   security.acme.certs.${config.services.coturn.realm} = {
-    listenHTTP = "0.0.0.0:80";
     email = "stefan@tague.at";
+    webroot = "/var/lib/acme/acme-challenges";
     postRun = "systemctl restart coturn.service";
     group = "turnserver";
   };