{
  config,
  lib,
  ...
}:
let
  cfg = config.services.mosquitto;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";
  acme = config.security.acme;
in
{
  options = {
    services.mosquitto = {
      openFirewall = lib.mkEnableOption "Open firewall port for Mosquitto";
      subdomain = lib.mkOption {
        type = lib.types.nullOr lib.types.str;
        default = null;
      };
    };
  };
  config = lib.mkIf cfg.enable (
    lib.mkMerge [
      { networking.firewall.allowedTCPPorts = map ({ port, ... }: port) cfg.listeners; }
      (lib.mkIf (cfg.subdomain != null) {
        security.acme.certs.${fqdn}.postRun = ''
          systemctl restart mosquitto
        '';

        systemd.services.mosquitto = {
          requires = [ "acme-${fqdn}.service" ];
          serviceConfig.LoadCredential = [
            "fullchain.pem:${acme.certs.${fqdn}.directory}/fullchain.pem"
            "key.pem:${acme.certs.${fqdn}.directory}/key.pem"
          ];
        };
      })
    ]
  );
}