{
  config,
  lib,
  pkgs,
  outputs,
  ...
}:

{
  security.acme = {
    acceptTerms = true;
    defaults.email = "aliceghuston@gmail.com";
    certs."nayeonie.com" = {
      dnsProvider = "dnsimple";
      environmentFile = config.sops.secrets."acme/dnsimple".path;
      dnsPropagationCheck = false;
      group = "haproxy";
      extraDomainNames = [
        "*.nayeonie.com"
        # "alicehuston.xyz"
        # "*.alicehuston.xyz"
      ];
    };
  };

  systemd.services."acme-nayeonie.com.service".path = lib.mkForce (
    with pkgs;
    [
      coreutils
      diffutils
      openssl
    ]
    ++ [
      outputs.packages.x86_64-linux.lego-latest
    ]
  );

  sops.secrets = {
    "acme/dnsimple" = {
      owner = "root";
    };
  };
}