diff --git a/manifests/setup.pp b/manifests/setup.pp
index c9629fdedfadf93bdc0a5710394237334c681307..be1dd1bb27fe6053cb85a5fa60717ffaeec99522 100644
--- a/manifests/setup.pp
+++ b/manifests/setup.pp
@@ -100,16 +100,21 @@ class irc_bouncer::setup {
       email => 'hugo@lysator.liu.se',
     }
   }
+  # TODO dynamic dns updtae fails since the DNS server manually writes
+  # the zone file, disregarding the journal. Update Lysators DNS
+  # server to not do that.
   -> class { '::letsencrypt::plugin::dns_rfc2136':
     # address of ns-master.lysator.liu.se
     # Since the python can't handle DNS...
     server              => '2001:6b0:17:f0a0::2',
     key_name            => $facts['fqdn'],
     key_algorithm       => 'HMAC-SHA256',
+    # TODO don't publish secret here
     key_secret          => 'YHR7/5gOkdPF64GwWRu6Ge8jcjz8siqCWIy/G8FsVzw=',
     propagation_seconds => 10,
     manage_package      => true,
   }
+  # TODO znc probably needs to be reloaded after cert upgrade
   -> letsencrypt::certonly { $certname:
     ensure          => 'present',
     domains         => [ $facts['fqdn'], ],
@@ -118,6 +123,7 @@ class irc_bouncer::setup {
     additional_args => [ '--quiet', ],
   }
 
+  # TODO files in archive is still not readable by znc
   file { ['/etc/letsencrypt/live',
           '/etc/letsencrypt/archive', ]:
     ensure => directory,