{ pkgs, ... }:
let
  knotDNSCredentials = zone: pkgs.writeTextFile "lego-credentials" ''
    EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
  '';
  knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
    #!${pkgs.zsh}/bin/zsh -xe

    mode=$1
    fqdn=$2
    challenge=$3

    owner=''${fqdn%"${zone}."}

    knotc zone-begin "${zone}"

    case "''${mode}" in
      present)
        knotc zone-set ${zone} "''${owner}" 300 TXT "''${challenge}"
        ;;
      cleanup)
        knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
        ;;
      *)
        exit 2
        ;;
    esac

    knotc zone-commit "${zone}"
  '';
in {
  config = {
    fileSystems."/var/lib/acme" =
      { device = "surtr/safe/var-lib-acme";
        fsType = "zfs";
      };

    security.acme = {
      server = "https://acme-staging-v02.api.letsencrypt.org/directory";
      
      acceptTerms = true;
      preliminarySelfsigned = false;
      email = "phikeebaogobaegh@141.li";
      certs = {
        "rheperire.org" = {
          domain = "rheperire.org";
          extraDomainNames = [ "*.rheperire.org" ];
          dnsProvider = "exec";
          credentialsFile = knotDNSCredentials "rheperire.org";
        };
      };
    };
  };
}