{
  config,
  lib,
  pkgs,
  namespace,
  ...
}:
with lib;
let
  name = "caddy";
  cfg = config.${namespace}.services.${name};
  net = lib.${namespace}.network;

  caddyPackage = pkgs.caddy.withPlugins {
    plugins = [
      "github.com/caddy-dns/cloudflare@v0.2.3"
    ];
    hash = "sha256-bL1cpMvDogD/pdVxGA8CAMEXazWpFDBiGBxG83SmXLA=";
  };

  # "github.com/hslatman/caddy-crowdsec-bouncer/http@v0.9.2"
  caddy = lib.${namespace}.mkModule {
    inherit config name;
    description = "caddy Service";
    options = { };
    moduleConfig = {
      services.caddy = {
        enable = true;
        package = caddyPackage;
        environmentFile = config.sops.templates."caddy.env".path;
        email = "jalle008@proton.me";
        enableReload = true;
        dataDir = "${cfg.configDir}/caddy";
        globalConfig = ''
          metrics
          http_port 80
          https_port 443
          default_bind 0.0.0.0
        '';
        virtualHosts = {
          "*.mjallen.dev" = {
            extraConfig = ''
              tls {
                dns cloudflare {$CLOUDFLARE_DNS_API_TOKEN}
              }

              @hass host hass.mjallen.dev
              handle @hass {
                reverse_proxy http://${net.hosts.nuc.lan}:${toString net.ports.nuc.homeAssistant}
              }
            '';
          };

          "sonarr.mjallen.dev" = {
            extraConfig = ''
              @sonarr {
                remote_ip ${net.subnet.lan} ${net.subnet.nebula}
                host sonarr.mjallen.dev
              }

              handle @sonarr {
                reverse_proxy ${net.hosts.nas.lan}:${toString net.ports.nas.sonarr}
              }

              handle {
                respond "Forbidden" 403
              }
            '';
          };
        };
      };
    };
  };
in
{
  imports = [
    caddy
    ./sops.nix
  ];
}