{lib, ...}: let
  baseCertPath = "/var/lib/acme/irc.jolheiser.com";
in {
  security.acme = {
    acceptTerms = true;
    email = "irc@jolheiser.com";
    certs."irc.jolheiser.com" = {
      listenHTTP = ":7658";
      postRun = "systemctl reload soju";
      group = "soju";
    };
  };
  services.soju = {
    enable = true;
    tlsCertificate = "${baseCertPath}/fullchain.pem";
    tlsCertificateKey = "${baseCertPath}/key.pem";
  };
  systemd.services.soju.serviceConfig = {
    DynamicUser = lib.mkForce false;
    User = "soju";
    Group = "soju";
    ReadOnlyPaths = baseCertPath;
  };
  users = {
    users.soju = {
      isSystemUser = true;
      group = "soju";
    };
    groups.soju = {};
  };
}