{ config, flake, ... }:
let
  inherit (flake.config.services.instances)
    prompter
    ;
  service = prompter;
  host = prompter.domains.url0;
in
{
  services = {
    caddy = {
      environmentFile = config.sops.secrets."caddy/prompter-auth".path;

      virtualHosts = {
        "${host}" = {
          extraConfig = ''
            basicauth {
              {$CADDY_AUTH_USER} {$CADDY_AUTH_PASSWORD_HASH}
            }
            root * ${service.paths.path0}
            file_server
            encode gzip
            try_files {path} /index.html
            tls ${service.ssl.cert} ${service.ssl.key}
          '';
        };
      };
    };
  };
  sops =
    let
      sopsPath = secret: {
        path = "${service.sops.path0}/${service.name}-${secret}";
        owner = "caddy";
        mode = "600";
      };
    in
    {
      secrets = builtins.listToAttrs (
        map
          (secret: {
            name = "${service.name}/${secret}";
            value = sopsPath secret;
          })
          [
            "auth"
          ]
      );
    };
  systemd.tmpfiles.rules = [
    "Z ${service.paths.path0} 755 caddy caddy -"
    "Z ${service.sops.path0} 755 caddy caddy -"
  ];
}