{
  config,
  service_configs,
  username,
  pkgs,
  lib,
  ...
}:
{
  imports = [
    (lib.serviceMountDeps "caddy" [
      "/var/lib/caddy"
      service_configs.https.data_dir
    ])
  ];

  services.caddy = {
    enable = true;
    email = "titaniumtown@proton.me";
    virtualHosts = {
      ${service_configs.https.domain} = {
        extraConfig = ''
          root * ${service_configs.https.data_dir}
          file_server browse
        '';

        serverAliases = [ "www.${service_configs.https.domain}" ];
      };
    };
  };

  systemd.tmpfiles.rules = [
    "d ${service_configs.https.data_dir} 750 ${config.services.caddy.user} ${config.services.caddy.group}"
    "d /var/lib/caddy 750 ${config.services.caddy.user} ${config.services.caddy.group}"
  ];

  systemd.packages = with pkgs; [ nssTools ];

  networking.firewall.allowedTCPPorts = [
    service_configs.ports.https

    # http (but really acmeCA challenges)
    80
  ];

  networking.firewall.allowedUDPPorts = [
    service_configs.ports.https
  ];

  users.users.${username}.extraGroups = [
    config.services.caddy.group
  ];
}