{ pkgs, secrets, ... }:
{
    # TODO: Containerize once I setup a proper shared bridge network
    services.caddy = {
        enable = true;
        package = pkgs.caddy.withPlugins {
            plugins = [ "github.com/caddy-dns/porkbun@v0.2.1" ];
            hash = "sha256-oizWuPXI0M9ngBCt/iEXWt+/33wpKlCs1yBPKnzFhRY=";
        };
        # Use a custom config because doing Caddyfile in multiline nix strings
        # feels messy (and not syntax highlighted)
        configFile = ./Caddyfile;
    };

    # Pass secrets through the systemd service's environment variables
    systemd.services.caddy.environment = {
        PORKBUN_API_KEY = secrets.programs.caddy.porkbun_api_key;
        PORKBUN_API_SECRET_KEY = secrets.programs.caddy.porkbun_secret_key;
    };

    # Allow caddy through the firewall
    networking.firewall = {
        allowedTCPPorts = [ 80 443 ]; # HTTP/1-2
        allowedUDPPorts = [ 443 ]; # HTTP/3 w/ QUIC
    };
}