{ lib, config, inputs, pkgs, ... }:
let
  root_host = "grimmauld.de";

  # git add --intent-to-add email.txt ; git update-index --assume-unchanged email.txt
  root_email = (builtins.elemAt (lib.strings.match "[[:space:]]*([^[:space:]]+)[[:space:]]*" (builtins.readFile ./email.txt)) 0);
in {
  security.acme = {
    acceptTerms = true;
    defaults.email = root_email;
    certs."${root_host}" = {
      webroot = "/var/lib/acme/acme-challenge/";
    };
  };

  users.users.nginx.extraGroups = [ "acme" ];
}