{ base, config, pkgs, lib, ... }: lib.recursiveUpdate
{
  services.nginx.enable = false; # PrivateBin, nextcloud etc. attempts to enable nginx but we already use caddy
  services.caddy.enable = true;
  services.caddy.configFile = lib.pipe ./caddy/caddyfile.nix [
    import
    (f: f { inherit pkgs lib config; })
    builtins.toJSON
    (pkgs.writeText "caddy.json")
  ];
  services.caddy.package = pkgs.callPackage ../packages/caddy.nix { };
  services.caddy.user = "root";
  systemd.services.caddy.serviceConfig.ProtectHome = lib.mkForce false;

  sops.secrets.cloudflare_token = {
    mode = "0600";
    owner = config.users.users.root.name;
    group = config.users.users.nobody.group;
    sopsFile = ../secrets/caddy.json;
    format = "json";
  };
}
  (
    let
      isDerived = base != null;
    in
    if isDerived
    then
      let
        caddy_json = base.config.services.caddy.configFile;
      in
      {
        scalpel.trafos."caddy.json" = {
          source = toString caddy_json;
          matchers."cloudflare_token".secret =
            config.sops.secrets.cloudflare_token.path;
          owner = config.users.users.root.name;
          group = config.users.users.nobody.group;
          mode = "0400";
        };

        services.caddy.configFile = lib.mkForce config.scalpel.trafos."caddy.json".destination;

        systemd.services.caddy.reloadTriggers = [ caddy_json ];
      }
    else { }
  )