{
  config,
  lib,
  pkgs,
  ...
}: let
  manualHostname = "manual.everest.tailscale";
  downloadsHostname = "dl.everest.tailscale";
  downloadsConfig = ''
    import tailscale
    file_server browse
    root * /srv/dl/
  '';
in {
  services.caddy = {
    enable = true;
    globalConfig = ''
      pki {
        ca local {
          name "Caddy (Everest) local CA"
        }
      }
    '';
    extraConfig = ''
      (tailscale) {
        tls internal
        # Old tailscale IP
        # bind 100.73.96.48
        bind 100.100.0.1
      }
    '';
    virtualHosts = {
      nixos-manual = {
        hostName = manualHostname;
        extraConfig = let
          manual = pkgs.compressDrvWeb config.system.build.manual.manualHTML {};
        in ''
          import tailscale
          file_server {
            precompressed zstd br gzip
          }
          root * ${manual}/share/doc/nixos
        '';
      };
      downloads = {
        hostName = downloadsHostname;
        extraConfig = downloadsConfig;
      };
      downloads-http = {
        hostName = "http://${downloadsHostname}";
        extraConfig = downloadsConfig;
      };
    };
  };
  services.headscale.settings.dns.extra_records = let
    makeRecords = builtins.map (recordName: {
      name = recordName;
      type = "A";
      value = "100.100.0.1";
    });
  in
    makeRecords [
      manualHostname
      downloadsHostname
    ];
  systemd = {
    services.caddy.after = ["tailscaled.service"];
    # We have somewhat frequent power outages, and our ISP router takes
    # ages to boot up. If I don't add a delay, caddy tries to bind to
    # the tailscale interface before it's ready, making it crash too much
    # in too little time
    services.caddy.serviceConfig.RestartSec = lib.mkForce "120s";
    services.caddy.unitConfig.StartLimitBurst = lib.mkForce "infinity";
  };
  programs.rust-motd.settings.service_status.Caddy = "caddy";
  networking.firewall.allowedTCPPorts = [443 80];
}