{
  config,
  lib,
  pkgs,
  ...
}: let
  acmeRoot = "/var/lib/acme/challenges";

  mkAcmeCert = domain: {
    # An acme system user is created. This user belongs to the acme group
    # and the home directory is /var/lib/acme. This user will try to make the directory
    # .well-known/acme-challenge/ under the webroot directory.
    webroot = "${acmeRoot}-${domain}";

    # email to send updates to, we prefix "acme" and the
    #  name of the domain the certificate is for to it.
    email = "acme+${domain}+charlie@charlieroot.dev";
    group = "nginx";
  };
in {
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "charlie@charlieroot.dev";
      # testing server, do not use in production, but DO use it for setting things up.
      # it has much higher rate limits.
      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
    };
    # certs = {
    #   "copeberg.org" = mkAcmeCert "copeberg.org";
    #   "info.copeberg.org" = mkAcmeCert "info.copeberg.org";
    # };
  };
}