{ ... }: {
  services.caddy = {
    enable = true;
    globalConfig = ''
      auto_https disable_redirects
    '';
    virtualHosts =
      let
        local_tls = ''
          tls {
            issuer internal {
              ca local
            }
          }
        '';
      in
      {
        "localhost" = {
          logFormat = "output discard";
          extraConfig = ''
            ${local_tls}
            acme_server {
              allow {
                domains *.test *.localhost
              }
            }
          '';
        };
        # need to test forwarding behaviour
        "https://alanpearce.localhost" = {
          logFormat = "output discard";
          serverAliases = [
            "http://alanpearce.localhost"

            # remember to update /etc/hosts
            "https://alanpearce.test"
            "http://alanpearce.test"
          ];
          extraConfig = ''
            ${local_tls}
            reverse_proxy http://alanpearce.test:8080 {
              transport http {
                dial_timeout 1s
                compression off
              }
            }
          '';
        };
        "searchix.localhost" = {
          logFormat = "output discard";
          extraConfig = ''
            reverse_proxy http://localhost:7331 {
              transport http {
                dial_timeout 1s
                compression off
              }
            }
          '';
        };
      };
  };
}