{ lib, config, ... }:

let
  cfg = config.permafrost.acme;
in
{
  options.permafrost.acme = {
    enable = lib.mkEnableOption "acme nixos module";

    certDomains = lib.mkOption {
      description = "additional domains to register with the ACME cert";
      default = [ ];
      type = with lib.types; listOf str;
    };

    useStagingServer = lib.mkOption {
      description = "use the letsencrypt staging server";
      default = true;
      type = with lib.types; bool;
    };
  };

  config = lib.mkIf cfg.enable {
    sops.secrets."cloudflare/email" = { };
    sops.secrets."cloudflare/api_key" = { };

    security.acme.acceptTerms = true;
    security.acme.certs.permafrost = {
      email = "Zynh0722@gmail.com";
      domain = "scarlet.zynh.me";
      group = config.services.nginx.group;
      renewInterval = "weekly";
      server =
        if cfg.useStagingServer
        then "https://acme-staging-v02.api.letsencrypt.org/directory"
        else config.security.acme.defaults.server;
      extraDomainNames = cfg.certDomains;

      dnsProvider = "cloudflare";
      credentialFiles = {
        "CF_API_EMAIL_FILE" = config.sops.secrets."cloudflare/email".path;
        "CF_DNS_API_TOKEN_FILE" = config.sops.secrets."cloudflare/api_key".path;
      };
    };
  };
}