diff --git a/manifests/setup.pp b/manifests/setup.pp
index 0cfc79227bca0eb3979f49094b55661fa9822ea2..638828c4c263e781815d3ac1d57c2a2913f828e9 100644
--- a/manifests/setup.pp
+++ b/manifests/setup.pp
@@ -47,6 +47,7 @@ class irc_bouncer::setup {
     ensure => directory,
     owner  => 'znc',
   }
+
   # vcsrepo { '/var/lib/znc/znc-lysator':
   #   ensure   => latest,
   #   provider => git,
@@ -76,6 +77,15 @@ class irc_bouncer::setup {
     args => ['saslauthd'],
   }
 
+  # Letsencrypt challenge is done through DNS since the ZNC webserver
+  # is to inflexible, and I neither want to front it just for certs,
+  # and I don't want to stop ZNC just for updating certs.
+
+  # https://certbot-dns-rfc2136.readthedocs.io/en/stable/
+
+  # Secret is manually generated on the nameserver, and placed in the
+  # appropriate dns config file.
+  # $ tsig-keygen -a hmac-sha256 verdigris.lysator.liu.se
 
   class { '::letsencrypt':
     config  => {
@@ -107,13 +117,6 @@ class irc_bouncer::setup {
     mode   => '0755',
   }
 
-  # exec { 'znc make pem':
-  #   command => 'znc --datadir=/var/lib/znc --makepem',
-  #   path    => '/usr/bin:/bin',
-  #   user    => 'znc',
-  #   onlyif  => 'test ! -f /var/lib/znc/znc.pem',
-  # }
-
   file { '/var/lib/znc/moddata/cyrusauth/.registry':
     ensure  => file,
     content => "CreateUser true\n",