{lib, ...}: let
  domains = import ./domains.nix {};

  virtualHosts = builtins.listToAttrs (
    builtins.map (domain_name: {
      name = "acmechallenge.${domain_name}";
      value = {
        serverAliases = ["*.${domain_name}"];
        locations."/.well-known/acme-challenge" = {
          root = "/var/lib/acme/.challenges";
        };
        locations."/" = {
          return = "301 https://$host$request_uri";
        };
      };
    })
    domains
  );
  certs = lib.attrsets.genAttrs domains (
    domain_name: {
      webroot = "/var/lib/acme/.challenges";
      group = "nginx";
    }
  );
in {
  users.users.nginx.extraGroups = ["acme"];

  services.nginx = {
    enable = true;
    inherit virtualHosts;
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "admin@vhack.eu";
    inherit certs;
  };
}