{
  config,
  pkgs,
  lib,
  ...
}:
let
  inherit (lib)
    mkIf
    mkEnableOption
    mkOption
    types
    ;

  inherit (config.networking) fqdn;

  cfg = config.acme;
in
{
  # we'll only support rfc2136 based challenges
  options.acme = {
    enable = mkEnableOption "" // {
      default = true;
    };

    useSelfDns = mkOption {
      default = false;
      description = "Sets values of the self DNS if enabled, otherwise requires manual `rfc2136` nameserver and key values.";
    };

    rfc2136 = {
      key = mkOption {
        type = types.path;
        default = config.age.secrets."dns/${fqdn}.key.age".path;
      };

      nameserver = mkOption {
        type = types.str;
        default = if cfg.useSelfDns then fqdn else null;
      };
    };
  };

  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = with cfg.rfc2136; nameserver != null && key != null;
        message = "ACME needs rfc2136 parameters to work, consider using `useSelfDns` option.";
      }
    ];

    environment.persistence."/persist".directories = [
      {
        directory = "/var/lib/acme";
        group = "acme";
        user = "acme";
      }
    ];

    security.acme = {
      acceptTerms = true;

      defaults = {
        email = "error@tuxcord.net";
        reloadServices = [ "nginx" ];
        postRun = ''
          source ${config.age.secrets.ntfy.path}
          ${pkgs.ntfy-sh}/bin/ntfy publish -T recycle -t "${config.host.name}" "HTTPS certificate has been renewed"
        '';
      };

      certs."${fqdn}" = {
        dnsProvider = "rfc2136";
        environmentFile = with cfg.rfc2136; builtins.toFile "dns-01-challenge.cfg" ''
          RFC2136_NAMESERVER=${nameserver}
          RFC2136_TSIG_FILE="${key}"
        '';
        extraDomainNames = [
          "*.${fqdn}"
          "${fqdn}"
        ];

        group = config.services.nginx.group;
      };
    };
  };
}