{ pkgs, lib, config, inputs, hosts, hostName, ... }:
let
  domain = "sourcephile.fr";
  domainID = lib.replaceStrings ["."] ["_"] domain;
  inherit (config.users) groups;
in
{
networking.nftables.ruleset = ''
  table inet filter {
    # ACME DNS-01 challenge and Gandi DNS
    set output-net-lego-ipv4 {
      type ipv4_addr
      elements = {
        ${hosts.mermet._module.args.ipv4},
        217.70.177.40
      }
    }
    set output-net-lego-ipv6 {
      type ipv6_addr
      elements = { 2001:4b98:d:1::40 }
    }
  }
'';
security.acme.certs."${domain}" = {
  email = "root+letsencrypt@${domain}";
  extraDomainNames = [
    "*.${domain}"
  ];
  group = groups.acme.name;
  keyType = "rsa4096";
  dnsProvider = "rfc2136";
  # ns6.gandi.net takes roughly 5min to update
  # hence lego's RFC2136_PROPAGATION_TIMEOUT=1000
  #dnsPropagationCheck = false;
  credentialsFile = "/dev/null";
};
systemd.services."acme-${domain}" = {
  serviceConfig.LoadCredentialEncrypted =
    [ "${domain}.tsig:${inputs.self}/hosts/${hostName}/acme/${domain}.tsig.cred" ];
  environment = {
    RFC2136_TSIG_SECRET = "%d/${domain}.tsig";
    RFC2136_NAMESERVER = "ns.${domain}:53";
    RFC2136_TSIG_ALGORITHM = "hmac-sha256.";
    RFC2136_TSIG_KEY = "acme_${domainID}";
    RFC2136_PROPAGATION_TIMEOUT = "1000";
    RFC2136_POLLING_INTERVAL = "30";
    RFC2136_SEQUENCE_INTERVAL = "30";
    RFC2136_DNS_TIMEOUT = "1000";
    RFC2136_TTL = "1";
  };
  after = [ "unbound.service" ];
};
}