{ config, pkgs, ...}: {
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "acme@tempest.dev";

  security.acme.certs."wildcard-irc.tempest.dev" = {
    group = "pounce";
    domain = "*.irc.tempest.dev";
    dnsProvider = "namecheap";
    credentialsFile = "/var/lib/secrets/namecheap.env";
  };

  security.acme.certs."wildcard-tempest.dev" = {
    group = "haproxy";
    domain = "*.tempest.dev";
    dnsProvider = "namecheap";
    credentialsFile = "/var/lib/secrets/namecheap.env";
  };

  systemd.services."concat-wildcard-cert" = {
    enable = true;
    description = "Concat wildcard certificate for HAProxy";

    unitConfig = {
      After = "acme-finished-wildcard-tempest.dev.target";
      Before = "haproxy.service";
    };

    serviceConfig = {
      Type = "simple";
      Group = "haproxy";
      ExecStart = "/run/current-system/sw/bin/sh -c 'cat /var/lib/acme/wildcard-tempest.dev/fullchain.pem /var/lib/acme/wildcard-tempest.dev/key.pem > /var/lib/acme/wildcard-tempest.dev/combined.pem'";
    };

    wantedBy = [ "multi-user.target" ];

  };
}