{ config, lib, pkgs, ... }:

{
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "hostmaster@vapor.systems";
      dnsProvider = "pdns";
      credentialsFile = "/etc/secrets/pdns_api.env";
    };
  };

  secrets = {
    pdnsAPI = {
      source = ../../secrets/pdns/pdns_api.env;
      dest = "/etc/secrets/pdns_api.env";
    };
  };

  users.users.nginx = lib.mkIf config.services.nginx.enable {
    extraGroups = [ "acme" ];
  };
}