{
  pkgs,
  config,
  lib,
  ...
}:
{
  options = {
    # Add a custom per-host option to enable HSTS
    services.nginx.virtualHosts = lib.mkOption {
      type = lib.types.attrsOf (
        lib.types.submodule (
          { config, ... }:
          {
            options.enableHSTS = lib.mkEnableOption "HSTS";
            config.extraConfig = lib.mkIf config.enableHSTS ''
              add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
            '';
          }
        )
      );
    };
  };

  config = {
    # Certificate settings
    security.acme = {
      defaults.email = "tm@tlater.net";
      acceptTerms = true;

      certs."tlater.net" = {
        extraDomainNames = [
          "*.tlater.net"
          "tlater.com"
          "*.tlater.com"
        ];
        dnsProvider = "porkbun";
        group = config.users.groups.ssl-cert.name;
        credentialFiles = {
          PORKBUN_API_KEY_FILE = config.sops.secrets."porkbun/api-key".path;
          PORKBUN_SECRET_API_KEY_FILE = config.sops.secrets."porkbun/secret-api-key".path;
        };
      };
    };
    users.groups.ssl-cert = { };

    # Back up the SSL certificate, just in case
    services.backups.acme = {
      user = "acme";
      paths = [ "/var/lib/acme/tlater.net" ];
    };

    systemd.services = {
      nginx.serviceConfig.SupplementaryGroups = [ config.security.acme.certs."tlater.net".group ];

      # Don't attempt to retrieve a certificate if the domain name
      # doesn't *actually* match the cert name
      #
      # TODO(tlater): Set up pebble to retrieve certs "properly"
      # instead
      "acme-tlater.net".serviceConfig.ExecCondition =
        let
          confirm = ''[[ "tlater.net" = "${config.services.nginx.domain}" ]]'';
        in
        ''${pkgs.runtimeShell} -c '${confirm}' '';
    };
  };
}