{
  security.acme = {
    acceptTerms = true;
    defaults.email = "koishi@514fpv.one";
    defaults.group = "nginx";
    certs = let
      cloudflare = {
        dnsProvider = "cloudflare";
        credentialsFile = "/nix/persist/secret/cloudflare";
      };
    in {
      "514fpv.io" = cloudflare;
      ".514fpv.io" = cloudflare // { domain = "*.514fpv.io"; };
    };
  };

  environment.persistence."/nix/persist/fhs".directories = [ "/var/lib/acme" ];
}