{ pkgs, lib, config, ... }:
{
  sops.secrets.internetbs = {
    sopsFile = ../../../.secrets/hetzner/internetbs.yaml; # bring your own password file
  };

  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "harald@hoyer.xyz";
      dnsProvider = "cloudflare";
      credentialsFile = config.sops.secrets.internetbs.path;
    };
    certs = {
      "mx.surfsite.org" = {
        dnsProvider = "internetbs";
      };

      "surfsite.org" = {
        dnsProvider = "internetbs";
        extraDomainNames = [
          "*.surfsite.org"
        ];
      };

      "hartwin-hoyer.de" = {
        dnsProvider = "internetbs";
        extraDomainNames = [
          "*.hartwin-hoyer.de"
        ];
      };

      "varlink.org" = {
        dnsProvider = "internetbs";
        extraDomainNames = [
          "*.varlink.org"
        ];
      };

      "meike-hoyer.de" = { };

      "hoyer.xyz" = {
        extraDomainNames = [
          "*.hoyer.xyz"
          "*.harald.hoyer.xyz"
          "*.hartwin.hoyer.xyz"
        ];
      };

      "hoyer.world" = {
        extraDomainNames = [
          "*.hoyer.world"
          "*.harald.hoyer.world"
          "*.hartwin.hoyer.world"
        ];
      };

      "hoyer.social" = {
        extraDomainNames = [
          "*.hoyer.social"
          "*.harald.hoyer.social"
          "*.hartwin.hoyer.social"
        ];
      };

      "hoyer.photos" = {
        extraDomainNames = [
          "*.hoyer.photos"
          "*.harald.hoyer.photos"
          "*.hartwin.hoyer.photos"
        ];
      };

      "harald-hoyer.de" = {
        extraDomainNames = [
          "*.harald-hoyer.de"
        ];
      };
    };
  };
}