# ACME for certs, using TLS-ALPN-01 Challenges(one fewer ports open)
# https://stalw.art/docs/server/tls/acme/configuration
{ cfg, sec }:
{
  letsencrypt = {
    directory = "https://acme-staging-v02.api.letsencrypt.org/directory";
    challenge = "dns-01";
    contact = [ "pyrox@pyrox.dev" ];
    domains = [
      "mail.pyrox.dev"
      "mta-sts.pyrox.dev"
      "autoconfig.pyrox.dev"
      "autodiscover.pyrox.dev"
    ];
    cache = "${cfg.dataDir}/acme/certs";
    renew-before = "30d";
    default = true;
    provider = "desec";
    secret = "%{file:${sec.stalwart-desec-token.path}}%";
  };
}