{ config, ... }:

{
  sops.secrets.lego-credentials = {
    sopsFile = ./secrets.yaml;
  };

  security.acme.acceptTerms = true;
  security.acme.defaults.email = "admin+acme@cloonar.com";
  security.acme.defaults = {
    dnsProvider = "hetzner";
    credentialsFile = config.sops.secrets.lego-credentials.path;
    # We don't need to wait for propagation since this is a local DNS server
    dnsPropagationCheck = true;
  };
}