{
  flake,
  config,
  pkgs,
  lib,
  ...
}: {
  age.secrets."hosting-de-acme-secrets" = {
    file = "${flake.self}/secrets/hosting-de-acme-secrets.age";
    mode = "400";
    owner = "acme";
  };

  security.acme = {
    acceptTerms = true;

    defaults = {
      email = "jfw@miom.space";
      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
      dnsProvider = "hostingde";
      dnsPropagationCheck = true;
      environmentFile = config.age.secrets."hosting-de-acme-secrets".path;
      group = "nginx";
      webroot = null;
    };
  };
}