{ inputs, config, pkgs, lib, ... }:
let
  homelabDomain = inputs.nixos-secrets.homelabDomain;
  certDir = config.security.acme.certs."${homelabDomain}".directory;
in
{
  services.nginx.enable = lib.mkForce false;

  sops.secrets.cloudflare_env = {
    mode = "0440";
    sopsFile = "${inputs.nixos-secrets}/lithium/cloudflare.env";
    format = "dotenv";
    group = config.services.caddy.group;
    restartUnits = [ "caddy.service" ];
  };

  # TODO: Revert to using Caddy DNS for the whole thing.
  # TODO: Add another cloudflare DDNS provider.
  # TODO: Add Metrics with Prometheus & Grafana
  services.caddy = {
    enable = true;
    package = pkgs.caddy.withPlugins {
      # NOTE: Occasionally specify @latest and update the new versions, and the result hash.
      plugins = [
        "github.com/mholt/caddy-dynamicdns@v0.0.0-20250430031602-b846b9e8fb83"
        "github.com/caddy-dns/cloudflare@v0.2.1"
      ];
      # NOTE: Built on 9/30/2025
      hash = "sha256-xuwNkxZop+RnzFtM9DEwah95nPSyx8KgM+Eu4EJ9kqI=";
    };
    # NOTE: Use Staging CA while testing, check `systemctl status caddy`
    # to see if everything is working.
    # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory";
    
    environmentFile = config.sops.secrets.cloudflare_env.path;
    # NOTE: DNS provider settings
    # https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148
    globalConfig = ''
      #acme_dns cloudflare {$CLOUDFLARE_DNS_API_TOKEN}
      dynamic_dns {
        provider cloudflare {$CLOUDFLARE_DNS_API_TOKEN}
        check_interval 30m
        ttl 5m
        domains {
          ${homelabDomain} @
        }
        dynamic_domains
      }
    '';
    
  };
  networking.firewall = {
    allowedTCPPorts = [ 80 443 ];
    allowedUDPPorts = [ 443 ];
  };

}