{...}: let
  taskStore = "/var/lib/taskserver";
in {
  services.taskserver = {
    enable = true;
    pki.manual = {
      ca.cert = ./ca.cert.pem;
      server = {
        # FIXME(@soispha): These are put _world-readable_ in the nix store, which is
        # obviously very bad. These values should be strings <2023-10-04>
        cert = /. + "${taskStore}/fullchain.pem";
        key = /. + "${taskStore}/privkey.pem";
      };
    };
    organisations = import ./organisations.nix;
    trust = "strict";
    openFirewall = true;
    fqdn = "taskserver.vhack.eu";
    listenHost = "taskserver.vhack.eu";
  };
  security.acme.certs.taskserver = {
    domain = "taskserver.vhack.eu";
    postRun =
      /*
      bash
      */
      ''
        set -x
        rm "${taskStore}/key.pem"
        rm "${taskStore}/fullchain.pem"

        cp key.pem "${taskStore}";
        cp fullchain.pem "${taskStore}";

        chown taskd:taskd "${taskStore}/key.pem"
        chown taskd:taskd "${taskStore}/fullchain.pem"
      '';
  };
}