{ lib, config, inputs, pkgs, ... }:
let
  root_host = "grimmauld.de";
  root_email = "contact@${root_host}";
in {
  security.acme = {
    acceptTerms = true;
    defaults.email = root_email;
    certs."${root_host}" = {
      webroot = "/var/lib/acme/acme-challenge/";
    };
  };

  users.users.nginx.extraGroups = [ "acme" ];
}