{
  config,
  lib,
  pkgs,
  namespace,
  ...
}:
with lib;
let
  name = "caddy";
  cfg = config.${namespace}.services.${name};

  caddyPackage = pkgs.caddy.withPlugins {
    plugins = [
      "github.com/caddy-dns/cloudflare@v0.2.2"
    ];
    hash = "sha256-dnhEjopeA0UiI+XVYHYpsjcEI6Y1Hacbi28hVKYQURg=";
  };

      # "github.com/hslatman/caddy-crowdsec-bouncer/http@v0.9.2"
  caddy = lib.${namespace}.mkModule {
    inherit config name;
    description = "caddy Service";
    options = { };
    moduleConfig = {
      sops = {
        secrets = {
          "jallen-nas/traefik/crowdsec/lapi-key" = {
            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
            owner = config.users.users.caddy.name;
            group = config.users.users.caddy.group;
            restartUnits = [ "caddy.service" ];
          };

          "jallen-nas/traefik/crowdsec/capi-machine-id" = {
            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
            owner = config.users.users.caddy.name;
            group = config.users.users.caddy.group;
            restartUnits = [ "caddy.service" ];
          };

          "jallen-nas/traefik/crowdsec/capi-password" = {
            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
            owner = config.users.users.caddy.name;
            group = config.users.users.caddy.group;
            restartUnits = [ "caddy.service" ];
          };
          "jallen-nas/traefik/cloudflare-dns-api-token" = {
            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
            owner = config.users.users.caddy.name;
            group = config.users.users.caddy.group;
            restartUnits = [ "caddy.service" ];
          };
          "jallen-nas/traefik/cloudflare-zone-api-token" = {
            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
            owner = config.users.users.caddy.name;
            group = config.users.users.caddy.group;
            restartUnits = [ "caddy.service" ];
          };
          "jallen-nas/traefik/cloudflare-api-key" = {
            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
            owner = config.users.users.caddy.name;
            group = config.users.users.caddy.group;
            restartUnits = [ "caddy.service" ];
          };
          "jallen-nas/traefik/cloudflare-email" = {
            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
            owner = config.users.users.caddy.name;
            group = config.users.users.caddy.group;
            restartUnits = [ "caddy.service" ];
          };
        };
        templates = {
          "caddy.env" = {
            content = ''
              CLOUDFLARE_DNS_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
              CLOUDFLARE_ZONE_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
              CLOUDFLARE_API_KEY=${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
              CLOUDFLARE_EMAIL=${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
            '';
            owner = config.users.users.caddy.name;
            group = config.users.users.caddy.group;
            restartUnits = [ "caddy.service" ];
          };
        };
      };

      services.caddy = {
        enable = true;
        package = caddyPackage;
        environmentFile = config.sops.templates."caddy.env".path;
        email = "jalle008@proton.me";
        enableReload = true;
        dataDir = "${cfg.configDir}/caddy";
        globalConfig = ''
          metrics
          http_port 80
          https_port 443
          default_bind 0.0.0.0
        '';
        virtualHosts = {
          "*.mjallen.dev" = {
            extraConfig = ''
              tls {
                dns cloudflare {$CLOUDFLARE_DNS_API_TOKEN}
              }

              @authentik host authentik.mjallen.dev
              handle @authentik {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.authentik.port}
              }

              @cache host cache.mjallen.dev
              handle @cache {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.attic.port}
              }

              @gitea host gitea.mjallen.dev
              handle @gitea {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.gitea.port}
              }

              @homeassistant host hass.mjallen.dev
              handle @homeassistant {
                reverse_proxy http://nuc-nixos.local:8123
              }

              @immich host immich.mjallen.dev
              handle @immich {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.immich.port}
              }

              @jellyfin host jellyfin.mjallen.dev
              handle @jellyfin {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.jellyfin.port}
              }

              @jellyseerr host jellyseerr.mjallen.dev
              handle @jellyseerr {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.jellyseerr.port}
              }

              @lubelogger host lubelogger.mjallen.dev
              handle @lubelogger {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.lubelogger.port}
              }

              @matrix host matrix.mjallen.dev
              handle @matrix {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.matrix.port}
              }

              @ntfy host ntfy.mjallen.dev
              handle @ntfy {
                reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.ntfy.port}
              }
            '';
          };
        };
      };
    };
  };
in
{
  imports = [ caddy ];
}