{ pkgs
, lib
, config
, ... }: with lib; let
  cfg = config.global.acme;
in {
  options.global.acme = {
    enable = mkEnableOption "ACME SSL certificates";
  };

  config = mkIf cfg.enable {
    security.acme = {
      acceptTerms = true;
      defaults.email = mkDefault "koishi@514fpv.one";
      defaults.group = config.services.nginx.group;
    };

    environment.persistence."/nix/persist/fhs".directories = [ "/var/lib/acme" ];
  };
}