{flake, ...}: let
  inherit (flake.config.people) user0;
  inherit (flake.config.people.user.${user0}) domain;
  inherit (flake.config.service.instance.caddy) ports;
in {
  services.caddy = {
    enable = true;
    virtualHosts = {
      "${domain.url0}" = {
        extraConfig = ''
          tls /var/lib/acme/${domain.url0}/fullchain.pem /var/lib/acme/${domain.url0}/key.pem
          encode zstd gzip
        '';
      };
    };
  };

  users.users.caddy.extraGroups = ["acme" "nextcloud" "mastodon"];

  networking = {
    firewall = {
      allowedTCPPorts = [
        ports.port0
        ports.port1
      ];
    };
  };
}