{
  config,
  lib,
  namespace,
  ...
}:
let
  cfg = config.${namespace}.services.caddy-internal;

  caddyUser = config.users.users.caddy.name;
  caddyGroup = config.users.users.caddy.group;

  caddySecret = {
    owner = caddyUser;
    group = caddyGroup;
    sopsFile = lib.snowfall.fs.get-file "secrets/nuc-secrets.yaml";
    restartUnits = [ "caddy.service" ];
  };
in
{
  config = lib.mkIf cfg.enable {
    sops = {
      secrets = {
        # Add this key to secrets/nuc-secrets.yaml:
        #   nuc/caddy/cloudflare-dns-api-token: <token>
        "nuc/caddy/cloudflare-dns-api-token" = caddySecret;
      };

      templates."caddy-internal.env" = {
        content = ''
          CLOUDFLARE_DNS_API_TOKEN=${config.sops.placeholder."nuc/caddy/cloudflare-dns-api-token"}
        '';
        owner = caddyUser;
        group = caddyGroup;
        restartUnits = [ "caddy.service" ];
      };
    };
  };
}