{ ... }: {
  systemd.services.hetzner-certbot = {
    environment = {
      API_TOKEN = (builtins.readFile /opt/cloud-init-misc-data/hcloud_token);
      AWS_ACCESS_KEY_ID = (builtins.readFile /opt/cloud-init-misc-data/aws_access_key_id);
      AWS_SECRET_ACCESS_KEY = (builtins.readFile /opt/cloud-init-misc-data/aws_secret_access_key);
      ENVIRONMENT = (builtins.readFile /opt/cloud-init-misc-data/environment);
      SERVICE = "guidelines";
      DOMAIN_NAME = (builtins.readFile /opt/cloud-init-misc-data/domain_name);
      ALTERNATIVE_NAMES = (builtins.readFile /opt/cloud-init-misc-data/domain_alternative_names);
      LETSENCRYPT_DIR = "/mnt/data/letsencrypt";
      SERVICE_PORTS = "443,8443,9443"; # guidelines, kibana, vault
    };
    serviceConfig.Type = "oneshot";
    script = "/opt/certbot.sh --renew";
  };
}