{ pkgs, config, ... }:
let
  inherit (config.users) users groups;
in
{
  imports = [
    acme/autogeree.net.nix
    acme/sourcephile.fr.nix
  ];
  networking.nftables.ruleset = ''
    table inet filter {
      set output-net-lego-ipv4 { type ipv4_addr; }
      set output-net-lego-ipv6 { type ipv6_addr; }
      chain output-net {
        skuid ${users.acme.name} \
          meta l4proto { udp, tcp } th dport domain \
          ip daddr @output-net-lego-ipv4 \
          counter accept \
          comment "lego: DNS"
        skuid ${users.acme.name} \
          meta l4proto { udp, tcp } th dport domain \
          ip6 daddr @output-net-lego-ipv6 \
          counter accept \
          comment "lego: DNS"
      }
    }
  '';
  security.acme = {
    acceptTerms = true;
  };
  environment.systemPackages = [
    pkgs.lego
  ];
  /*
    users.users.acme = {
    home = "/var/lib/acme";
    group = groups."acme".name;
    # Set a static UID to install the credentialFile
    # with acme:root perms before the system switch
    uid = 14;
    isSystemUser = true;
    };
    assertions = [
    { assertion = ! elem users.acme.uid (attrValues config.ids.uids);
    message = ''
      Unix user ID ${toString users.acme.uid} is already taken in config.ids.uids: change for a free UID.
    '';
    }
    ];
  */
  users.groups = {
    acme = { };
  };

}