{ pkgs, lib, config, ... }:
let
  inherit (builtins.extraBuiltins) pass;
  inherit (config) networking;
in
{
  deployment.keys = {
    "${networking.domain}.key.pem" = {
      text        = pass "x509/${networking.domain}/key.pem";
      user        = "root";
      group       = "root";
      destDir     = "/run/keys/";
      permissions = "0400"; # WARNING: not enforced when deployment.storeKeysOnMachine = true
    };
  };
}