{ config, pkgs, ... }:

{
  systemd.services.letsencrypt = {
    path = [ pkgs.simp_le ];

    restartIfChanged = false;
    serviceConfig = {
      Type = "oneshot";
    };

    script = ''
      mkdir -p /etc/sslcerts/acmeroot
      cd /etc/sslcerts

      simp_le \
        -d git.gebner.org \
        -d mail.gebner.org \
        --default_root $PWD/acmeroot \
        -f account_key.json -f fullchain.pem -f key.pem \
        --email gebner@gebner.org

      cp key.pem key-dovecot.pem
      chown dovecot2 key-dovecot.pem
    '';

    startAt = "04:00";
  };
}