{ config, pkgs, ... }:
let
  knotCfg = config.services.knot;
  
  knotDNSCredentials = zone: pkgs.writeText "lego-credentials" ''
    EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
    EXEC_PROPAGATION_TIMEOUT=300
    EXEC_POLLING_INTERVAL=5
  '';
  knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
    #!${pkgs.zsh}/bin/zsh -xe

    mode=$1
    fqdn=$2
    challenge=$3

    owner=''${fqdn%".${zone}."}

    commited=
    function abort() {
      [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}"
    }

    ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}"
    trap abort EXIT

    case "''${mode}" in
      present)
        ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""'
        ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}"
        ;;
      cleanup)
        ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
        ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""'
        ;;
      *)
        exit 2
        ;;
    esac

    ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}"
    commited=yes
  '';
in {
  config = {
    fileSystems."/var/lib/acme" =
      { device = "surtr/safe/var-lib-acme";
        fsType = "zfs";
      };

    security.acme = {
      server = "https://acme-staging-v02.api.letsencrypt.org/directory";
      
      acceptTerms = true;
      preliminarySelfsigned = false;
      email = "phikeebaogobaegh@141.li";
      certs = {
        "rheperire.org" = {
          domain = "rheperire.org";
          extraDomainNames = [ "*.rheperire.org" ];
          dnsProvider = "exec";
          credentialsFile = knotDNSCredentials "rheperire.org";
          dnsResolver = "1.1.1.1:53";
        };
      };
    };

    users.groups."knot".members = [ "acme" ];
  };
}