From 00133e544f862f00b55c1b5f349625e9f5785fff Mon Sep 17 00:00:00 2001
From: Nico <nico@astolfo.org>
Date: Sun, 22 Feb 2026 20:22:20 +1100
Subject: [PATCH] forgejo: get certs for domain

---
 modules/services/forgejo.nix | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix
index b0f8fde..9b6575d 100644
--- a/modules/services/forgejo.nix
+++ b/modules/services/forgejo.nix
@@ -25,13 +25,20 @@
     };
   };
 
+  security.acme.certs."${config.services.forgejo.settings.server.DOMAIN}" = {
+    domain = "${config.homelab.authDomain}";
+    dnsProvider = "cloudflare";
+    dnsResolver = "1.1.1.1:53";
+    dnsPropagationCheck = true;
+  };
+
   # forgejo has user keys under its own .ssh/authorizedKeys file.
   # nix blocks me from using users.users.<name>.openssh.authorizedKeys.keyFiles
   # in order to only allow that to the forgejo user as it has "/var"
   services.openssh.authorizedKeysInHomedir = lib.mkForce true;
 
-  services.caddy.virtualHosts."git.${config.homelab.publicDomain}" = {
-    useACMEHost = config.homelab.domain;
+  services.caddy.virtualHosts."${config.services.forgejo.settings.server.DOMAIN}" = {
+    useACMEHost = config.services.forgejo.settings.server.DOMAIN;
     extraConfig = ''
       reverse_proxy http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
     '';