{ pkgs, lib, config, ... }: let inherit (config.users) groups; domain = "autogeree.net"; in { systemd.services."acme-${domain}".after = [ "unbound.service" ]; security.acme.certs."${domain}" = { email = "root+letsencrypt@${domain}"; extraDomains = { "*.${domain}" = null; }; group = groups."acme".name; allowKeysForGroup = true; keyType = "rsa4096"; dnsProvider = "rfc2136"; credentialsFile = pkgs.writeText "credentials" '' RFC2136_NAMESERVER=127.0.0.1:5353 LEGO_EXPERIMENTAL_CNAME_SUPPORT=1 ''; }; }