{
  config,
  lib,
  namespace,
  ...
}:
let
  cfg = config.${namespace}.services.caddy;

  caddySecret = {
    inherit (config.users.users.caddy) name group;
    sopsFile = lib.snowfall.fs.get-file "secrets/nas-secrets.yaml";
    restartUnits = [ "caddy.service" ];
  };
in
{
  config = lib.mkIf cfg.enable {
    sops = {
      secrets = {
        "jallen-nas/traefik/crowdsec/lapi-key" = caddySecret;
        "jallen-nas/traefik/crowdsec/capi-machine-id" = caddySecret;
        "jallen-nas/traefik/crowdsec/capi-password" = caddySecret;
        "jallen-nas/traefik/cloudflare-dns-api-token" = caddySecret;
        "jallen-nas/traefik/cloudflare-zone-api-token" = caddySecret;
        "jallen-nas/traefik/cloudflare-api-key" = caddySecret;
        "jallen-nas/traefik/cloudflare-email" = caddySecret;
      };
      templates = {
        "caddy.env" = {
          content = ''
            CLOUDFLARE_DNS_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
            CLOUDFLARE_ZONE_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
            CLOUDFLARE_API_KEY=${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
            CLOUDFLARE_EMAIL=${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
          '';
          inherit (config.users.users.caddy) name group;
          restartUnits = [ "caddy.service" ];
        };
      };
    };
  };
}