{
  config,
  flake,
  ...
}:
let
  inherit (flake.config.people) user0;
  inherit (flake.config.people.users.${user0}) email;
  inherit (flake.config.services) instances;
  domain0 = instances.web.domains.url0;
  domain1 = instances.web.domains.url1;
  domain4 = flake.inputs.linkpage.secrets.domains.projectsite;
  service = instances.acme;
  dns0 = instances.web.dns.provider0;
  dns1 = instances.web.dns.provider1;
  dns0Path = "dns/${dns0}";
  dns1Path = "dns/${dns1}";
in
{
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = email.address0;
      server = "https://acme-v02.api.letsencrypt.org/directory";
    };
    certs =
      let
        dnsConfig = provider: dns: directory: {
          dnsProvider = dns;
          environmentFile = config.sops.secrets.${provider}.path;
        };
      in
      {
        # "${instances.audiobookshelf.domains.url0}" = dnsConfig dns0Path dns0;
        # "${instances.glance.domains.url0}" = dnsConfig dns0Path dns0;
        # "${instances.jellyfin.domains.url0}" = dnsConfig dns0Path dns0;
        # "${instances.ollama.domains.url0}" = dnsConfig dns0Path dns0;
        # "${instances.searx.domains.url0}" = dnsConfig dns0Path dns0;
        # "${instances.syncthing.domains.url0}" = dnsConfig dns0Path dns0;
        "${instances.vaultwarden.domains.url0}" = dnsConfig dns0Path dns0;
        # "${instances.prompter.domains.url0}" = dnsConfig dns0Path dns0;
        # "${instances.comfyui.domains.url0}" = dnsConfig dns0Path dns0;
        # "${instances.firefly-iii.domains.url0}" = dnsConfig dns0Path dns0;
        # "${instances.opencloud.domains.url0}" = dnsConfig dns0Path dns0;
        "${instances.forgejo.domains.url0}" = dnsConfig dns0Path dns0;
        # "${instances.mastodon.domains.url0}" = dnsConfig dns0Path dns0;
        # "${domain0}" = dnsConfig dns0Path dns0;
        # "${domain1}" = dnsConfig dns0Path dns0;
        # "${domain4}" = dnsConfig dns1Path dns1;
      };
  };

  sops =
    let
      dnsList = [
        dns0
        dns1
      ];
      secretList = [
        "pass"
      ];
      sopsPath = secret: dns: {
        path = "/var/lib/secrets/${instances.acme.name}/${dns}-${secret}";
        owner = "root";
        mode = "600";
      };
    in
    {
      secrets = builtins.listToAttrs (
        builtins.concatLists (
          map (
            dns:
            map (secret: {
              name = "dns/${dns}";
              value = sopsPath secret dns;
            }) secretList
          ) dnsList
        )
      );
    };

  systemd = {
    tmpfiles.rules = [
      "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
    ];
  };
}