nixos/options/custom/services/caddy.nix

{
  config,
  inputs,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.custom.services.caddy;
in {
  options.custom.services.caddy.enable = mkOption {default = false;};

  config = mkIf cfg.enable {
    age.secrets = let
      secret = filename: {
        file = "${inputs.self}/secrets/${filename}";
        owner = "caddy";
        group = "caddy";
      };
    in {
      "${config.custom.profile}/caddy/Caddyfile" = secret "${config.custom.profile}/caddy/Caddyfile";
    };

    # https://caddyserver.com/
    # https://github.com/caddyserver/caddy
    services = {
      caddy = {
        enable = true;

        # BUG: DNS-over-TLS not currently functional, reattempt when fixed or PROXY protocol supported
        # https://github.com/mholt/caddy-l4/issues/276
        # https://github.com/AdguardTeam/AdGuardHome/issues/2798
        # TODO: Use stable package when available with plugins
        # https://github.com/NixOS/nixpkgs/pull/358586
        package = pkgs.unstable.caddy.withPlugins {
          #?? Copy from failed build
          hash = "sha256-JVkUkDKdat4aALJHQCq1zorJivVCdyBT+7UhqTvaFLw=";

          #?? REPO@TAG
          plugins = [
            # https://github.com/caddy-dns/cloudflare
            "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e"

            # https://github.com/mholt/caddy-l4
            #// "github.com/mholt/caddy-l4@v0.0.0-20250124234235-87e3e5e2c7f9"

            # https://github.com/tailscale/caddy-tailscale
            #// "github.com/tailscale/caddy-tailscale@v0.0.0-20250207004440-fd3f49d73216"
          ];
        };

        # TODO: Convert services to Tailscale subdomains when supported or use plugin when supported by nix
        # https://github.com/tailscale/tailscale/issues/7081
        # https://github.com/tailscale/caddy-tailscale
        # https://github.com/NixOS/nixpkgs/pull/317881
        configFile = config.age.secrets."${config.custom.profile}/caddy/Caddyfile".path;
      };
    };

    # Serve static files
    systemd.tmpfiles.settings."10-caddy" = {
      "/srv/static" = {
        d = {
          user = "caddy";
          group = "caddy";
        };

        #!! Recursive
        Z = {
          user = "caddy";
          group = "caddy";
        };
      };
    };

    networking.firewall = {
      allowedTCPPorts = [
        80 # HTTP
        443 # HTTPS
      ];
    };
  };
}