{ config, lib, ... }:

with lib;
let
  cfg = config.modules.services.acme;
in
{
  options.modules.services.acme = {
    enable = mkEnableOption "ACME certificate manager";
    email = mkOption {
      type = types.str;
      description = mdDoc ''
        The postmaster email address to use.
      '';
    };
    certs = mkOption {
      type = types.attrsOf
        (types.submodule {
          options = {
            domain = mkOption {
              type = types.nullOr types.str;
              default = null;
            };
            subDomains = mkOption { type = types.listOf types.str; };
          };
        });
    };
    secrets.acme-credentials = mkOption { type = types.str; description = "path to the acme environment file"; };
  };

  config = mkIf cfg.enable {
    security.acme = {
      acceptTerms = true;
      defaults.email = cfg.email;
      certs = mapAttrs
        (name: { domain, subDomains }: {
          extraDomainNames = lists.forEach subDomains (elem: elem + ".${name}");
        } // {
          dnsProvider = "cloudflare";
          dnsPropagationCheck = true;
          credentialsFile = cfg.secrets.acme-credentials;
        } // optionalAttrs (domain != null) {
          domain = domain;
        })
        cfg.certs;
    };

    modules.persistence.directories = [
      "/var/lib/acme"
    ];
  };
}