{
  config,
  flake,
  ...
}:
let
  inherit (flake.config.people) user0;
  inherit (flake.config.people.users.${user0}) email;
  inherit (flake.config.services) instances;
  service = instances.acme;
  domain0 = instances.web.domains.url0;
  dns0 = instances.web.dns.provider0;
  dns0Path = "dns/${dns0}";
  instanceName = service: (instances.${service}.subdomain);

  dnsConfig = provider: dns: {
    dnsProvider = dns;
    directory = instances.acme.paths.path0;
    environmentFile = config.sops.secrets.${provider}.path;
  };
in
{
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = email.address0;
      server = "https://acme-v02.api.letsencrypt.org/directory";
    };
    certs = builtins.listToAttrs (
      (map
        (service: {
          name = "${instanceName service}.${domain0}";
          value = dnsConfig dns0Path dns0;
        })
        [
          # instances.nextcloud.name
          # instances.opencloud.name
        ]
      )
    );
  };
  sops =
    let
      dnsList = [
        dns0
      ];
      secretList = [
        "pass"
      ];
      sopsPath = secret: dns: {
        path = "/var/lib/secrets/${instances.acme.name}/${dns}-${secret}";
        owner = "root";
        mode = "600";
      };
    in
    {
      secrets = builtins.listToAttrs (
        builtins.concatLists (
          map (
            dns:
            map (secret: {
              name = "dns/${dns}";
              value = sopsPath secret dns;
            }) secretList
          ) dnsList
        )
      );
    };

  systemd = {
    tmpfiles.rules = [
      "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
    ];
  };

}