{ options, config, lib, pkgs, ... }:

with builtins;
with lib;

let
  fn = import (../. + (toPath "/fn.nix")) { inherit lib; };
  cfg = config.machine;
in mkIf (elem "acme" cfg.services) {
  security.acme = {
    # see https://letsencrypt.org/repository/
    acceptTerms = true;
    email = fn.fileContentsOr
      (toPath "${cfg.secretPath}/acme.mailAddr")
      "${(elemAt cfg.mailAccounts 0).name}@${cfg.domain}";
  };
}