{ pkgs, lib, config, ... }:
let
  secrets = config.age.secrets;
in
{
  security.acme.acceptTerms = true;
  security.acme.defaults = {
    email = "le@fcuny.net";
    dnsProvider = "gandiv5";
    group = config.services.nginx.group;
    credentialsFile = secrets."gandi/apikey".path;
    dnsPropagationCheck = true;
  };
  security.acme.certs."${config.homelab.domain}" = {
    domain = "*.${config.homelab.domain}";
    extraDomainNames = [ config.homelab.domain ];
  };
}