{ config, pkgs, ... }:
{
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  systemd.services.caddy.serviceConfig.EnvironmentFile =
    config.sops.secrets.caddy_environment_file.path;

  services.caddy = {
    enable = true;
    package = pkgs.caddy-tailscale;

    virtualHosts =
      let
        kansaiCloudConfig = ''
          @no_forwarded_for not header X-Forwarded-For *
          request_header @no_forwarded_for X-Forwarded-For {remote_host}
          respond /* {header.X-Forwarded-For} 200
        '';
      in
      {
        "kansai.cloud".extraConfig = kansaiCloudConfig;
        "http://kansai.cloud".extraConfig = kansaiCloudConfig;
      };
  };
}