{ config, ... }:
{
  security.acme = {
    acceptTerms = true;
    certs."pyroxdev-mail" = {
      domain = "mail.pyrox.dev";
      extraDomainNames = [
        "dav.pyrox.dev"
        "mta-sts.pyrox.dev"
        "autoconfig.pyrox.dev"
        "autodiscover.pyrox.dev"
      ];
      reloadServices = [ "stalwart-mail" ];
    };
    defaults = {
      # LE Production Server
      server = "https://acme-v02.api.letsencrypt.org/directory";
      email = "pyrox@pyrox.dev";
      # For DNS Challenges, use DeSec(my provider)
      dnsProvider = "desec";
      # Enable DNS Propagation checks(ensure DNS records exist before requesting certs)
      dnsPropagationCheck = true;
      dnsResolver = "9.9.9.9:53";
      # Agenix-encrypted credentials for ACME
      credentialsFile = config.age.secrets.acme-creds.path;
    };
  };
  age.secrets.acme-creds = {
    file = ../secrets/acme-creds.age;
    owner = "acme";
    group = "acme";
  };
}