{ pkgs, lib, config, ... }: let inherit (config.users) groups; domain = "sourcephile.fr"; in { systemd.services."acme-${domain}".after = [ "unbound.service" ]; security.acme.certs."${domain}" = { email = "root@${domain}"; extraDomains = { "*.${domain}" = null; }; group = groups."acme".name; allowKeysForGroup = true; keyType = "rsa4096"; dnsProvider = "rfc2136"; credentialsFile = pkgs.writeText "credentials" '' RFC2136_NAMESERVER=127.0.0.1:5353 RFC2136_PROPAGATION_TIMEOUT=1000 RFC2136_POLLING_INTERVAL=30 RFC2136_SEQUENCE_INTERVAL=30 RFC2136_DNS_TIMEOUT=1000 RFC2136_TTL=1 ''; }; }