{
  pkgs,
  config,
  lib,
  ...
}: {
  options.services.nginx.domain = lib.mkOption {
    type = lib.types.str;
    description = "The base domain name to append to virtual domain names";
  };

  config = {
    # Don't attempt to run acme if the domain name is not tlater.net
    systemd.services = let
      confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
    in
      lib.mapAttrs' (cert: _:
        lib.nameValuePair "acme-${cert}" {
          serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
        })
      config.security.acme.certs;
  };
}