server-config/services/caddy.nix

{
  config,
  service_configs,
  username,
  pkgs,
  lib,
  inputs,
  ...
}:

let
  theme = pkgs.fetchFromGitHub {
    owner = "kaiiiz";
    repo = "hugo-theme-monochrome";
    rev = "d17e05715e91f41a842f2656e6bdd70cba73de91";
    sha256 = "h9I2ukugVrldIC3SXefS0L3R245oa+TuRChOCJJgF24=";
  };

  hugo-neko = pkgs.fetchFromGitHub {
    owner = "ystepanoff";
    repo = "hugo-neko";
    rev = "5a50034acbb1ae0cec19775af64e7167ca22725e";
    sha256 = "VLwr4zEeFQU/b+vj0XTLSuEiosuNFu2du4uud7m8bnw=";
  };

  hugoWebsite = pkgs.stdenv.mkDerivation {
    pname = "hugo-site";
    version = "0.1";

    src = inputs.website;

    nativeBuildInputs = with pkgs; [
      hugo
      go
      git
    ];

    installPhase = ''
      rm -fr themes/theme modules/hugo-neko
      cp -r ${theme} themes/theme
      cp -r ${hugo-neko} modules/hugo-neko
      hugo --minify -d $out;
    '';
  };
in
{
  imports = [
    (lib.serviceMountDeps "caddy" [
      config.services.caddy.dataDir
    ])
    (lib.serviceDependZpool "caddy" service_configs.zpool_ssds)
  ];

  services.caddy = {
    enable = true;
    email = "titaniumtown@proton.me";
    virtualHosts = {
      ${service_configs.https.domain} = {
        extraConfig = ''
          root * ${hugoWebsite}
          file_server browse
        '';

        serverAliases = [ "www.${service_configs.https.domain}" ];
      };
    };
  };

  # Add agenix dependency for caddy service
  systemd.services.caddy = {
    after = [ "agenix.service" ];
    requires = [ "agenix.service" ];
  };

  systemd.tmpfiles.rules = [
    "d ${config.services.caddy.dataDir} 700 ${config.services.caddy.user} ${config.services.caddy.group}"
  ];

  systemd.packages = with pkgs; [ nssTools ];

  networking.firewall.allowedTCPPorts = [
    service_configs.ports.https

    # http (but really acmeCA challenges)
    80
  ];

  networking.firewall.allowedUDPPorts = [
    service_configs.ports.https
  ];

  users.users.${username}.extraGroups = [
    config.services.caddy.group
  ];
}