{
  config,
  lib,
  namespace,
  ...
}:
with lib;
let
  cfg = config.${namespace}.services.caddy;
in
{
  config = lib.mkIf cfg.enable {
    sops = {
      secrets = {
        "jallen-nas/traefik/crowdsec/lapi-key" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = config.users.users.caddy.name;
          group = config.users.users.caddy.group;
          restartUnits = [ "caddy.service" ];
        };

        "jallen-nas/traefik/crowdsec/capi-machine-id" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = config.users.users.caddy.name;
          group = config.users.users.caddy.group;
          restartUnits = [ "caddy.service" ];
        };

        "jallen-nas/traefik/crowdsec/capi-password" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = config.users.users.caddy.name;
          group = config.users.users.caddy.group;
          restartUnits = [ "caddy.service" ];
        };
        "jallen-nas/traefik/cloudflare-dns-api-token" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = config.users.users.caddy.name;
          group = config.users.users.caddy.group;
          restartUnits = [ "caddy.service" ];
        };
        "jallen-nas/traefik/cloudflare-zone-api-token" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = config.users.users.caddy.name;
          group = config.users.users.caddy.group;
          restartUnits = [ "caddy.service" ];
        };
        "jallen-nas/traefik/cloudflare-api-key" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = config.users.users.caddy.name;
          group = config.users.users.caddy.group;
          restartUnits = [ "caddy.service" ];
        };
        "jallen-nas/traefik/cloudflare-email" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = config.users.users.caddy.name;
          group = config.users.users.caddy.group;
          restartUnits = [ "caddy.service" ];
        };
      };
      templates = {
        "caddy.env" = {
          content = ''
            CLOUDFLARE_DNS_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
            CLOUDFLARE_ZONE_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
            CLOUDFLARE_API_KEY=${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
            CLOUDFLARE_EMAIL=${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
          '';
          owner = config.users.users.caddy.name;
          group = config.users.users.caddy.group;
          restartUnits = [ "caddy.service" ];
        };
      };
    };
  };
}