{ pkgs, config, info, lib, ... }:
let
  domain = "sourcephile.fr";
  inherit (config.users) groups;
in
{
  networking.nftables.ruleset = ''
    table inet filter {
      set output-net-lego-ipv4 {
        type ipv4_addr
        elements = {
          ${lib.concatMapStringsSep ", " ({ipv4, ...}: ipv4) (lib.filter (args: args ? "ipv4") info.lebureau.dns.secondary.ns)}
        }
      }
      set output-net-lego-ipv6 {
        type ipv6_addr
        elements = {
          ${lib.concatMapStringsSep ", " ({ipv6, ...}: ipv6) (lib.filter (args: args ? "ipv6") info.lebureau.dns.secondary.ns)}
        }
      }
    }
  '';
  systemd.services."acme-${domain}".after = [
    "unbound.service"
  ];
  security.acme.certs.${domain} = {
    email = "root@${domain}";
    extraDomainNames = [
      "*.${domain}"
    ];
    group = groups."acme".name;
    keyType = "rsa4096";
    dnsProvider = "rfc2136";
    #dnsPropagationCheck = false;
    credentialsFile = pkgs.writeText "credentials" ''
      RFC2136_NAMESERVER=127.0.0.1:5353
      RFC2136_PROPAGATION_TIMEOUT=1000
      RFC2136_POLLING_INTERVAL=30
      RFC2136_SEQUENCE_INTERVAL=30
      RFC2136_DNS_TIMEOUT=1000
      RFC2136_TTL=1
    '';
  };
}