{ config, ... }:

let
  poorObfuscation = y: x: "${x}@${y}";
in
{
  sops.secrets.hetzner-dns-key = {
    owner = "acme";
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = poorObfuscation "sefidel.com" "postmaster";
    certs = {
      "sefidel.com" = {
        domain = "sefidel.com";
        extraDomainNames = [
          "bouncer.sefidel.com"
          "git.sefidel.com"
          "matrix.sefidel.com"
          "social.sefidel.com"
        ];
        dnsProvider = "hetzner";
        dnsPropagationCheck = true;
        credentialsFile = config.sops.secrets.hetzner-dns-key.path;
      };
    };
  };

  environment.persistence."/persist".directories = [
    "/var/lib/acme"
  ];
}