{ config, ... }:
{
  security.acme = {
    acceptTerms = true;

    defaults = {
      email = "acme@ppp.pm";
    };

    certs = {
      "ha.ppp.pm" = {
        dnsProvider = "hetzner";
        environmentFile = config.age.secrets.hetzner-dns.path;
        group = "nginx";

        extraLegoFlags = [
          "--dns.resolvers=1.1.1.1:53,8.8.8.8:53"
          "--dns.propagation-wait=60s" # Wait for 60 seconds for DNS propagation
          "--dns-timeout=60"
          "--http-timeout=60"
        ];
      };
    };
  };

  age = {
    secrets = {
      "hetzner-dns".file = ../../../../secrets/manatee/hetzner-dns.age;
    };
  };
}