{
  flake,
  ...
}:
let
  inherit (flake.config.people) user0;
  inherit (flake.config.people.users.${user0}) email;
  inherit (flake.config.services) instances;
  service = instances.acme;
  dns0 = instances.web.dns.provider0;
  dns1 = instances.web.dns.provider1;
in
{
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = email.address0;
      server = "https://acme-v02.api.letsencrypt.org/directory";
    };
  };

  sops =
    let
      dnsList = [
        dns0
        dns1
      ];
      secretList = [
        "pass"
      ];
      sopsPath = secret: dns: {
        path = "/var/lib/secrets/${instances.acme.name}/${dns}-${secret}";
        owner = "root";
        mode = "600";
      };
    in
    {
      secrets = builtins.listToAttrs (
        builtins.concatLists (
          map (
            dns:
            map (secret: {
              name = "dns/${dns}";
              value = sopsPath secret dns;
            }) secretList
          ) dnsList
        )
      );
    };

  systemd = {
    tmpfiles.rules = [
      "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
    ];
  };
}