{config, ...}: {
  age.secrets.hetzner-dns.file = ../../secrets/hetzner-dns.age;

  security.acme = {
    acceptTerms = true;
    defaults.email = "acme@buffet.sh";
    certs."buffet.sh" = {
      group = "nginx";
      dnsProvider = "hetzner";
      credentialsFile = config.age.secrets.hetzner-dns.path;

      extraDomainNames = [
        "*.buffet.sh"
        "*.buffets.kitchen"
        "buffets.kitchen"
      ];
    };
  };
}