{
  config,
  flake,
  ...
}: let
  inherit (flake.config.people) user0;
  inherit (flake.config.people.user.${user0}) domain email dns;
  inherit (flake.config.service.instance.acme) paths;
  inherit (flake.config.service) instance;
  dnsConfig = {
    dnsProvider = dns.provider0;
    directory = paths.path0;
    environmentFile = config.sops.secrets."dns/namecheap".path;
  };

  instanceName = service: (instance.${service}.subdomain);

  domain0Services = [
    "nextcloud"
    "jellyfin"
    "minecraft"
    "ollama"
    "syncthing"
    "vaultwarden"
  ];

  domain1Services = [
    "nextcloud"
    "castopod"
    "forgejo"
    "matrix"
    "peertube"
    "writefreely"
  ];

  domain0Sub = map instanceName domain0Services;
  domain1Sub = map instanceName domain1Services;

  domainRoot = [
    domain.url0
    domain.url1
  ];
in {
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = email.address0;
      server = "https://acme-v02.api.letsencrypt.org/directory";
    };
    certs = builtins.listToAttrs (
      (map (prefix: {
          name = "${prefix}.${domain.url0}";
          value = dnsConfig;
        })
        domain0Sub)
      ++ (map (prefix: {
          name = "${prefix}.${domain.url1}";
          value = dnsConfig;
        })
        domain1Sub)
      ++ (map (name: {
          name = name;
          value = dnsConfig;
        })
        domainRoot)
    );
  };

  sops = let
    sopsSecrets = ["pass"];
    sopsPath = secret: {
      path = "/var/lib/secrets/${instance.acme.name}/${dns.provider0}-${secret}";
      owner = "root";
      mode = "600";
    };
  in {
    secrets = builtins.listToAttrs (
      map
      (secret: {
        name = "dns/${dns.provider0}";
        value = sopsPath secret;
      })
      sopsSecrets
    );
  };
}