{
  flake,
  config,
  pkgs,
  lib,
  ...
}: {
  age.secrets."hosting-de-acme-secrets" = {
    file = "${flake.self}/secrets/hosting-de-acme-secrets.age";
    mode = "400";
    owner = "acme";
  };

  security.acme = {
    acceptTerms = true;

    defaults = {
      email = "acme@benjaminbaedorf.eu";
      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
      dnsProvider = "hostingde";
      dnsPropagationCheck = true;
      # We check via dns0 directly or unbound will be in our way
      dnsResolver = "193.110.81.0";
      credentialsFile = config.age.secrets."hosting-de-acme-secrets".path;
      group = "nginx";
      webroot = null;
    };
  };
}