{...}: {
  users.users.nginx.extraGroups = ["acme"];

  services.nginx = {
    enable = true;
    virtualHosts = {
      "acmechallenge.vhack.eu" = {
        serverAliases = ["*.vhack.eu"];
        locations."/.well-known/acme-challenge" = {
          root = "/var/lib/acme/.challenges";
        };
        locations."/" = {
          return = "301 https://$host$request_uri";
        };
      };
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "admin@vhack.eu";
    certs = {
      "server1.vhack.eu" = {
        webroot = "/var/lib/acme/.challenges";
        group = "nginx";
        extraDomainNames = ["imap.vhack.eu" "smtp.vhack.eu"];
      };
    };
  };
}