{ config, caddy-patched, ... }:
{
  age.secrets.acme-caddy = {
    file = ../../secrets/shared/acme-caddy.age;
    owner = "caddy";
  };
  services.caddy = {
    enable = true;
    package = caddy-patched.packages.x86_64-linux.default;
    email = "ca@${config.networking.domain}";
    logFormat = "format console";
    globalConfig = ''
      servers {
        metrics
      }
      import ${config.age.secrets.acme-caddy.path}
    '';

    virtualHosts.":2018" = {
      extraConfig = ''
        metrics
      '';
      logFormat = ''
        output discard
      '';
    };
  };
  systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib";
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.allowedUDPPorts = [ 443 ];
}