{ lib, pkgs, config,  ... }:
{
  options.services.myCertificates = {
    certConfig = lib.mkOption {
      default = {
        webroot = "${config.security.acme.directory}/acme-challenge";
        email = "ismael@bouya.org";
        postRun = ''
          systemctl reload httpdTools.service httpdInte.service httpdProd.service
        '';
        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
      };
      description = "Default configuration for certificates";
    };
  };

  config = {
    services.backup.profiles.system.excludeFile = ''
      + ${config.security.acme.directory}
      '';
    services.websites.certs = config.services.myCertificates.certConfig;
    myServices.databasesCerts = config.services.myCertificates.certConfig;
    myServices.ircCerts = config.services.myCertificates.certConfig;

    security.acme.preliminarySelfsigned = true;

    security.acme.certs = {
      "eldiron" = config.services.myCertificates.certConfig // {
        domain = "eldiron.immae.eu";
      };
    };

    systemd.services = lib.attrsets.mapAttrs' (k: v:
      lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
        (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
        cp $workdir/server.crt ${config.security.acme.directory}/${k}/cert.pem
        chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/cert.pem
        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/cert.pem
        '') +
        (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
        cp $workdir/ca.crt ${config.security.acme.directory}/${k}/chain.pem
        chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/chain.pem
        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/chain.pem
        '')
      ; })
    ) config.security.acme.certs // {
      httpdProd.after = [ "acme-selfsigned-certificates.target" ];
      httpdProd.wants = [ "acme-selfsigned-certificates.target" ];
      httpdTools.after = [ "acme-selfsigned-certificates.target" ];
      httpdTools.wants = [ "acme-selfsigned-certificates.target" ];
      httpdInte.after = [ "acme-selfsigned-certificates.target" ];
      httpdInte.wants = [ "acme-selfsigned-certificates.target" ];
    };
  };
}