{config, ...}: { age.secrets.hetzner-dns.file = ../../secrets/hetzner-dns.age; security.acme = { acceptTerms = true; defaults.email = "acme@buffet.sh"; certs."buffet.sh" = { domain = "*.buffet.sh"; extraDomainNames = ["*.buffets.kitchen"]; group = "nginx"; dnsProvider = "hetzner"; credentialsFile = config.age.secrets.hetzner-dns.path; }; }; }