options.ekleog.acme = lib.mkOption {
  type = with lib.types; attrsOf str;
  default = {};
  description = "Mapping dns -> action on refresh for SSL certificates";
};

config = lib.mkIf (cfg != {}) {
  services.nginx = {
    enable = true;
    virtualHosts = lib.mapAttrs (dns: _: {
      listen = lib.mkDefault [
        { addr = dns; port = 80; }
        { addr = dns; port = 443; ssl = true; }
      ];
      locations."/.well-known/acme-challenge".root =
        "/var/acme-challenge/${dns}";
    }) cfg;
  };

  networking.firewall.allowedTCPPorts = [ 80 ];

  security.acme.certs = lib.mapAttrs (dns: reload: {
    webroot = "/var/acme-challenge/${dns}";
    postRun = reload;
    email = "leo@gaspard.io";
  }) cfg;
};