{ ... }:

{
  imports = [ ./module-acme-ca.nix ];

  my.acme.accounts = let 
    base = {
      key_type = "EC256";
      ignore_dns_propagation = true;
    };
    letsencrypt = base // {
      contact = "letsencrypt@lukegb.com";
      terms_of_service_agreed = true;
    };
    letsencrypt-staging = letsencrypt // {
      server_url = "https://acme-staging-v02.api.letsencrypt.org/directory";
    };
    letsencrypt-prod = letsencrypt // {
      server_url = "https://acme-v02.api.letsencrypt.org/directory";
    };

    cloudflare = t: t // {
      provider = "cloudflare";
      provider_configuration.CLOUDFLARE_DNS_API_TOKEN = "\${data.vault_generic_secret.misc.data[\"cloudflareToken\"]}";
    };
    gcloud-as205479 = t: t // {
      provider = "gcloud";
      provider_configuration.GCE_PROJECT = "as205479-177317";
    };
  in {
    letsencrypt-cloudflare = cloudflare letsencrypt-prod;
    letsencrypt-staging-cloudflare = cloudflare letsencrypt-staging;

    letsencrypt-gcloud-as205479 = gcloud-as205479 letsencrypt-prod;
    letsencrypt-staging-gcloud-as205479 = gcloud-as205479 letsencrypt-staging;
  };

  my.acme.roles = let
    cloudflareDomains = [ "lukegb.com" "bfob.gg" "lukegb.dev" "lukegb.tech" "lukegb.xyz" "zxcvbnm.ninja" ];
    gcloudDomains = [ "as205479.net" "event.lukegb.tech" "tech.lukegb.tech" ];
  in {
    letsencrypt-cloudflare.allowed_domains = cloudflareDomains;
    letsencrypt-staging-cloudflare.allowed_domains = cloudflareDomains;

    letsencrypt-gcloud-as205479.allowed_domains = gcloudDomains;
    letsencrypt-staging-gcloud-as205479.allowed_domains = gcloudDomains;

    google-cloudflare.allowed_domains = cloudflareDomains;
  };
}