nixos/roles/caddy.nix

{
  config,
  pkgs,
  ...
}:

{
  services.caddy = {
    enable = true;
    package = pkgs.caddy.withPlugins {
      plugins = [
        "github.com/tailscale/caddy-tailscale@v0.0.0-20250508175905-642f61fea3cc"
      ];
      hash = "sha256-Kbqr7spiL8/UvT0HtCm0Ufh5Nm1VYDjyNWPCd1Yxyxc=";
    };
    email = "nolan@thewordnerd.info";
  };
  age.secrets.tsAuthKey = {
    file = ../secrets/ts_auth_key.age;
    owner = config.services.caddy.user;
    group = config.services.caddy.group;
    mode = "600";
  };
  systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.tsAuthKey.path;
}