{
  pkgs,
  lib,
  config,
  ...
}:
with lib;
let
  cfg = config.xyno.services.caddy;
  wildcardMatcherStr = wildcard: hostName: content: ''
    @${hostName} host ${hostName}.${wildcard}
    handle @${hostName} {
      ${content.extraConfig}
    }

  '';
  genOneWildcard = wildcard: host: {
    extraConfig = ''
      # extra pre
      ${host.extraConfigPre}
      # block bots
      ${optionalString host.blockBots "import blockBots"}
      # hosts handler
      ${concatStrings (mapAttrsToList (n: v: wildcardMatcherStr wildcard n v) host.hosts)}
      # extra post
      ${host.extraConfigPost}
      abort
    '';
  };
  genVHostsFromWildcard = mapAttrs' (
    n: v: nameValuePair "*.${n}" (genOneWildcard n v)
  ) cfg.wildcardHosts;
in
{
  options.xyno.services.caddy.enable = mkEnableOption "enables caddy with the desec plugin";
  options.xyno.services.caddy.wildcardHosts = mkOption {
    example = {
      "hailsatan.eu" = {
        blockBots = true;
        hosts.md.extraConfig = ''reverse_proxy ...'';
      };
    };
    default = { };
    type =
      with types;
      attrsOf (submodule {
        options = {
          blockBots = mkOption {
            type = bool;
            default = false;
          };
          extraConfigPre = mkOption {
            type = str;
            default = "";
          };
          extraConfigPost = mkOption {
            type = str;
            default = "";
          };
          hosts = mkOption {
            default = {};
            type = attrsOf (submodule {
              options = {
                extraConfig = mkOption { type = lines; };
              };
            });
          };
        };
      });
  };
  config = lib.mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [
      80
      443
    ];
    networking.firewall.allowedUDPPorts = [ 443 ];
    services.caddy = {
      enable = true;
      package = pkgs.caddy-desec;
      virtualHosts = genVHostsFromWildcard;
      email = mkDefault "ssl@xyno.systems";
      acmeCA = mkDefault "https://acme-v02.api.letsencrypt.org/directory";
      globalConfig = ''
        metrics {
          per_host
        }
      '';
      extraConfig = ''
        (blockBots) {
          @botForbidden header_regexp User-Agent "(?i)AdsBot-Google|Amazonbot|anthropic-ai|Applebot|Applebot-Extended|AwarioRssBot|AwarioSmartBot|Bytespider|CCBot|ChatGPT|ChatGPT-User|Claude-Web|ClaudeBot|cohere-ai|DataForSeoBot|Diffbot|FacebookBot|Google-Extended|GPTBot|ImagesiftBot|magpie-crawler|omgili|Omgilibot|peer39_crawler|PerplexityBot|YouBot"

          handle @botForbidden   {
            redir https://hil-speed.hetzner.com/10GB.bin
          }
          handle /robots.txt {
            respond <<TXT
            User-Agent: *
            Disallow: /
            TXT 200
          }
        }
      '';
    };
    xyno.services.monitoring.exporters.caddy = 2019;

  };
}