caddy int

modules/nixos/services/caddy-internal/sops.nix

@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
+let
+  cfg = config.${namespace}.services.caddy-internal;
+
+  caddyUser = config.users.users.caddy.name;
+  caddyGroup = config.users.users.caddy.group;
+
+  caddySecret = {
+    owner = caddyUser;
+    group = caddyGroup;
+    sopsFile = lib.snowfall.fs.get-file "secrets/nuc-secrets.yaml";
+    restartUnits = [ "caddy.service" ];
+  };
+in
+{
+  config = lib.mkIf cfg.enable {
+    sops = {
+      secrets = {
+        # Add this key to secrets/nuc-secrets.yaml:
+        #   nuc/caddy/cloudflare-dns-api-token: <token>
+        "nuc/caddy/cloudflare-dns-api-token" = caddySecret;
+      };
+
+      templates."caddy-internal.env" = {
+        content = ''
+          CLOUDFLARE_DNS_API_TOKEN=${config.sops.placeholder."nuc/caddy/cloudflare-dns-api-token"}
+        '';
+        owner = caddyUser;
+        group = caddyGroup;
+        restartUnits = [ "caddy.service" ];
+      };
+    };
+  };
+}