{
  config,
  lib,
  ...
}:
with lib;
with lib.metacfg;
let
  cfg = config.metacfg.services.acmeBase;
in
{
  options.metacfg.services.acmeBase = with types; {
    enable = mkBoolOpt false "Whether or not to enable ACME with common settings.";
    email = mkOption {
      type = types.str;
      default = "harald@hoyer.xyz";
      description = "Registration email for ACME.";
    };
    dnsProvider = mkOption {
      type = types.str;
      default = "cloudflare";
      description = "DNS provider for ACME DNS-01 challenge.";
    };
    credentialsFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = "Path to the credentials file for the DNS provider.";
    };
  };

  config = mkIf cfg.enable {
    security.acme = {
      acceptTerms = true;
      defaults = {
        email = cfg.email;
        dnsProvider = cfg.dnsProvider;
        credentialsFile = mkIf (cfg.credentialsFile != null) cfg.credentialsFile;
      };
    };
  };
}