{
  config,
  lib,
  pkgs,
  namespace,
  ...
}:
with lib;
let
  name = "caddy";
  cfg = config.${namespace}.services.${name};

  caddyPackage = pkgs.caddy.withPlugins {
    plugins = [
      "github.com/caddy-dns/cloudflare@v0.2.3"
    ];
    hash = "sha256-bL1cpMvDogD/pdVxGA8CAMEXazWpFDBiGBxG83SmXLA=";
  };

  # "github.com/hslatman/caddy-crowdsec-bouncer/http@v0.9.2"
  caddy = lib.${namespace}.mkModule {
    inherit config name;
    description = "caddy Service";
    options = { };
    moduleConfig = {
      services.caddy = {
        enable = true;
        package = caddyPackage;
        environmentFile = config.sops.templates."caddy.env".path;
        email = "jalle008@proton.me";
        enableReload = true;
        dataDir = "${cfg.configDir}/caddy";
        globalConfig = ''
          metrics
          http_port 80
          https_port 443
          default_bind 0.0.0.0
        '';
        virtualHosts = {
          "*.mjallen.dev" = {
            extraConfig = ''
              tls {
                dns cloudflare {$CLOUDFLARE_DNS_API_TOKEN}
              }

              @authentik host authentik.mjallen.dev
              handle @authentik {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.authentik.port}
              }

              @cache host cache.mjallen.dev
              handle @cache {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.attic.port}
              }

              @cloud host cloud.mjallen.dev
              handle @cloud {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.nextcloud.port} {
                  header_up Host {upstream_hostport}
                }

                header {
                  Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
                  X-Robots-Tag "noindex, nofollow"
                }
              }

              @gitea host gitea.mjallen.dev
              handle @gitea {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.gitea.port}
              }

              @homeassistant host hass.mjallen.dev
              handle @homeassistant {
                reverse_proxy http://nuc-nixos.local:8123
              }

              @immich host immich.mjallen.dev
              handle @immich {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.immich.port}
              }

              @jellyfin host jellyfin.mjallen.dev
              handle @jellyfin {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.jellyfin.port}
              }

              @jellyseerr host jellyseerr.mjallen.dev
              handle @jellyseerr {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.jellyseerr.port}
              }

              @lubelogger host lubelogger.mjallen.dev
              handle @lubelogger {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.lubelogger.port}
              }

              @matrix host matrix.mjallen.dev
              handle @matrix {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.matrix.port}
              }

              @ntfy host ntfy.mjallen.dev
              handle @ntfy {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.ntfy.port}
              }

              @office host office.mjallen.dev
              handle @office {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.collabora.port}
              }
            '';
          };
        };
      };
    };
  };
in
{
  imports = [
    caddy
    ./sops.nix
  ];
}