{ pkgs, config, ... }:
let
  inherit (config.users) users;
in
{
  imports = [
    acme/autogeree.net.nix
    acme/sourcephile.fr.nix
  ];
  networking.nftables.ruleset = ''
    table inet filter {
      set output-net-lego-ipv4 { type ipv4_addr; }
      set output-net-lego-ipv6 { type ipv6_addr; }
      chain output-net {
        skuid ${users.acme.name} \
          meta l4proto { udp, tcp } th dport domain \
          ip daddr @output-net-lego-ipv4 \
          counter accept \
          comment "lego: DNS"
        skuid ${users.acme.name} \
          meta l4proto { udp, tcp } th dport domain \
          ip6 daddr @output-net-lego-ipv6 \
          counter accept \
          comment "lego: DNS"
      }
    }
  '';
  security.acme = {
    acceptTerms = true;
  };
  environment.systemPackages = [
    pkgs.lego
  ];
  users.groups = {
    acme = { };
  };
}