{ config, lib, ... }:

{
  # default acme settings
  security.acme = {
    acceptTerms = true;

    defaults.email = "fricloudacme.cameo530@simplelogin.com";
  };

  # give Nginx access to our certs
  services.nginx.group = config.security.acme.defaults.group;

  # acme user
  users.groups."${config.security.acme.defaults.group}".members = [];

  # state
  environment.persistence = lib.optionalAttrs config.mine.state.enable {
    root.directories = [
      "/var/lib/acme"
    ];
  };
}