{
  pkgs,
  lib,
  config,
  ...
}:
with lib;
let
  cfg = config.xyno.services.caddy;
  schema = import ./json-schema.nix {
    inherit pkgs lib;
    schema = builtins.fromJSON (builtins.readFile ./caddy_schema.json);
  };
in
{
  options.xyno.services.caddy.enable = mkEnableOption "enables caddy with the desec plugin";
  options.xyno.services.caddy.config = mkOption {
    default = { };
    type = schema.type;
  };
  config = lib.mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [
      80
      443
    ];
    networking.firewall.allowedUDPPorts = [ 443 ];
    xyno.services.caddy.config = {
      apps = {
        http.metrics.per_host = true;
        tls.automation.policies = [
          {
            issuers = [
              {
                ca = "https://acme-v02.api.letsencrypt.org/directory";
                challenges.dns.provider = {
                  name = "desec";
                  token.path = ""; # TODO

                };
              }
            ];
            module = "acme";
          }
        ];
      };
    };

    services.caddy = {
      enable = true;
      package = pkgs.caddy-desec;
      adapter = "json";
      configFile = json.generate "caddy-config.json" cfg.config;
    };
    xyno.services.monitoring.exporters.caddy = 2019;

  };
}