{
  pkgs,
  lib,
  ...
}: {
  networking.firewall.allowedTCPPorts = [80 8448 443];

  services.tailscale.permitCertUid = "caddy";

  services.caddy = let
    catppuccin = builtins.fromJSON (builtins.readFile (pkgs.fetchurl {
      url = "https://raw.githubusercontent.com/catppuccin/element/main/config.json";
      hash = "sha256-9y113raGhCKlKAPmi5MXEW64qpPJ9u2oN/kwR5etZo0=";
    }));

    element = pkgs.element-web.override {
      conf =
        {
          default_server_config."m.homeserver" = {
            "base_url" = "https://broccoli.town";
            "server_name" = "broccoli.town";
          };
        }
        // catppuccin;
    };

    config = pkgs.substituteAll {
      inherit element;
      src = ./Caddyfile;
    };
  in {
    enable = true;
    configFile = config;
    adapter = "caddyfile";
  };
}