{ ... }: { systemd.services.hetzner-certbot = { environment = { API_TOKEN = (builtins.readFile /opt/cloud-init-misc-data/hcloud_token); AWS_ACCESS_KEY_ID = (builtins.readFile /opt/cloud-init-misc-data/aws_access_key_id); AWS_SECRET_ACCESS_KEY = (builtins.readFile /opt/cloud-init-misc-data/aws_secret_access_key); ENVIRONMENT = (builtins.readFile /opt/cloud-init-misc-data/environment); SERVICE = "guidelines"; DOMAIN_NAME = (builtins.readFile /opt/cloud-init-misc-data/domain_name); ALTERNATIVE_NAMES = (builtins.readFile /opt/cloud-init-misc-data/domain_alternative_names); LETSENCRYPT_DIR = "/mnt/data/letsencrypt"; SERVICE_PORTS = "443,8443,9443"; # guidelines, kibana, vault }; serviceConfig.Type = "oneshot"; script = "/opt/certbot.sh --renew"; }; }