{ config, lib, ... }:
with lib; let
  cfg = config.local;
in
{
  options.local = with types; {
    domains = mkOption {
      type = attrsOf (attrsOf str);
    };

    certs = mapAttrs
      (_: _: {
        enable = mkEnableOption "TLS cert for ${name}";
      })
      cfg.domains;
  };

  config = {
    security.acme = {
      acceptTerms = true;

      defaults = {
        email = "security@${config.networking.domain}";
        renewInterval = "weekly";

        webroot =
          if config.security.acme.defaults.dnsProvider == null
          then "/var/lib/acme/acme-challenge"
          else null;
      };

      certs =
        let
          domainSort = sort (a: b: splitString "." a < splitString "." b);

          certConfig = domains: {
            domain = domains.main;
            extraDomainNames = domainSort (attrValues (filterAttrs (k: _: k != "main") domains));
          };
        in
        mapAttrs'
          (_: value: nameValuePair value.main (certConfig value))
          (filterAttrs (name: _: cfg.certs.${name}.enable) cfg.domains);
    };

    local.domains = import ./domains.nix;
  };
}