{ self, ... }:
{
  flake.domain = "heimfeld.hamburg";
  flake.machines.tharos = {
    nixos =
      { ... }:
      {
        networking.firewall.allowedTCPPorts = [
          80
          443
        ];

        services.caddy = {
          enable = true;
          email = "redaktion@${self.domain}";
          globalConfig = ''
            metrics {
              per_host
            }
          '';
        };
        services.prometheus.scrapeConfigs = [
          {
            job_name = "caddy";
            static_configs = [
              {
                targets = [ "localhost:2019" ];
              }
            ];
          }
        ];
      };

    vm =
      { pkgs, ... }:
      {
        services.caddy.globalConfig = ''
          local_certs
        '';

        systemd.services.caddy.path = [ pkgs.nssTools ]; # Irrelevante Warnung unterdrücken
      };
  };
}