{
  config,
  service_configs,
  username,
  pkgs,
  ...
}:
{
  services.caddy = {
    enable = true;
    email = "titaniumtown@proton.me";
    virtualHosts = {
      ${service_configs.https.domain} = {
        extraConfig = ''
          root * ${service_configs.https.data_dir}
          file_server browse
        '';

        serverAliases = [ "www.${service_configs.https.domain}" ];
      };
    };
  };

  systemd.tmpfiles.rules = [
    "d ${service_configs.https.data_dir} 770 ${config.services.caddy.user} ${config.services.caddy.group}"
  ];

  systemd.packages = with pkgs; [ nssTools ];

  networking.firewall.allowedTCPPorts = [
    service_configs.ports.https

    # http (but really acmeCA challenges)
    80

    # for matrix federation
    8448
  ];

  networking.firewall.allowedUDPPorts = [
    service_configs.ports.https

    # for matrix federation
    8448
  ];

  users.users.${username}.extraGroups = [
    config.services.caddy.group
  ];
}