{
  config,
  pkgs,
  lib,
  ...
}:

with lib;

let
  cfg = config.my.networking.caddy;
in
{
  options.my.networking.caddy = {
    enable = lib.mkEnableOption "Enable caddy as reverse proxy";
  };

  config = lib.mkIf cfg.enable {

    age.secrets = {
      cloudflare-tegola-apiKey = {
        file = ../../secrets/cloudflare-tegola-apiKey.age;
        owner = config.services.caddy.user;
        group = config.services.caddy.group;
      };
    };

    services.caddy = {
      enable = true;
      package = pkgs.caddy-custom;
      # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory"; # ONLY FOR DEVELOPMENT!
      extraConfig = ''
        (cloudflare) {
          tls {
            dns cloudflare {env.CLOUDFLARE_KEY}
            resolvers 1.1.1.1 100.100.100.100
          }
        }
      '';
    };

    systemd.services.caddy.serviceConfig = {
      EnvironmentFile = config.age.secrets.cloudflare-tegola-apiKey.path;
      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
    };

    networking.firewall.allowedTCPPorts = [
      80
      443
    ];

    networking.firewall.allowedUDPPorts = [
      80
      443
    ];
  };

}