{ config, ... }:

{
  security.acme = {
    acceptTerms = true;
    defaults.email = "till@ktiu.net";
    certs."${config.networking.domain}" = {
      # domain = config.networking.domain;
      webroot = "/var/lib/acme/.challenges";
      group = config.services.nginx.group;
      extraDomainNames = [ config.networking.fqdn ];
    };
  };

  services.nginx.virtualHosts = {
    "${config.networking.fqdn}-80" = {
      serverAliases = [
        "*.ktiu.net"
        "*.t9e.me"
      ];
      locations."/.well-known/acme-challenge" = {
        root = "/var/lib/acme/.challenges";
      };
      locations."/" = {
        return = "301 https://$host$request_uri";
      };
    };
  };
}