nixos/security: add acme through dns challenge

few side refactors of this:
- no more `dns.domain`, it all must rely on `fqdn`, prevents
  inconsistencies.
- also added an specific host `tuxcord-acmetest` that uses the key zone
  for `nix.tuxcord.net` to test certificate pulling.

nixos/modules/gitea.nix

@@ -1,4 +1,9 @@
 { config, lib, ... }:
+let
+  inherit (config.networking) fqdn;
+
+  acmeEnabled = config.acme.enable;
+in
 {
   services.gitea = {
     enable = true;
@@ -8,8 +13,8 @@
 
     lfs.enable = true;
 
-    settings.server.DOMAIN = config.networking.fqdn;
-    # settings.server.ROOT_URL = "https://git.tuxcord.net/"; ? would also depend on ssl status
+    settings.server.DOMAIN = fqdn;
+    settings.server.ROOT_URL = "${if isHTTPS then "https" else "http"}://${fqdn}/";
     settings.server.HTTP_PORT = 3000;
 
     settings.service.DISABLE_REGISTRATION = true;