{...}: let
  taskStore = "/var/lib/taskserver";
in {
  services.taskserver = {
    enable = true;
    config = {
      server = {
        cert = "${taskStore}/fullchain.pem";
        key = "${taskStore}/privkey.pem";
      };
    };
    pki = {
      auto = {
        expiration = {
          server = 365;
          crl = 365;
          client = 365;
          ca = 365;
        };
        bits = 4096;
      };
      manual = {
        ca.cert = builtins.toPath "${taskStore}/cert.pem";
        server = {
          cert = builtins.toPath "${taskStore}/fullchain.pem";
          key = builtins.toPath "${taskStore}/privkey.pem";
        };
      };
    };
    organisations = import ./organisations.nix;
    trust = "strict";
    openFirewall = true;
    fqdn = "taskserver.vhack.eu";
    listenHost = "taskserver.vhack.eu";
  };
  security.acme.certs.taskserver = {
    domain = "taskserver.vhack.eu";
    postRun =
      /*
      bash
      */
      ''
        set -x
        rm "${taskStore}/key.pem"
        rm "${taskStore}/fullchain.pem"
        rm "${taskStore}/cert.pem"

        cp key.pem "${taskStore}";
        cp fullchain.pem "${taskStore}";
        cp cert.pem "${taskStore}";

        chown taskd:taskd "${taskStore}/key.pem"
        chown taskd:taskd "${taskStore}/fullchain.pem"
        chown taskd:taskd "${taskStore}/cert.pem"
      '';
  };
}