high availability caddy

this was a fucking nightmare.
setting up the s3 storage plugin was painful, since caddy plugins are not nicely supported by the nix build yet.
rip.
oh well, i got it working.

and it WORKS

newinfra/nix/modules/ingress/default.nix

@@ -1,7 +1,20 @@
-{ pkgs, nixpkgs-unstable, config, lib, name, website, slides, blog, ... }:
+{ pkgs, config, lib, name, website, slides, blog, ... }:
 
-let caddy = nixpkgs-unstable.caddy; in
+let
+  caddy = pkgs.callPackage ./caddy-build.nix {
+    externalPlugins = [
+      {
+        name = "certmagic-s3";
+        repo = "github.com/noratrieb-mirrors/certmagic-s3";
+        version = "e48519f95173e982767cbb881d49335b6a00a599";
+      }
+    ];
+    vendorHash = "sha256-KP9bYitM/Pocw4DxOXPVBigWh4IykNf8yKJiBlTFZmI=";
+  };
+in
 {
+  environment.systemPackages = [ caddy ];
+
   networking.firewall = {
     allowedTCPPorts = [
       80 # HTTP
@@ -12,22 +25,17 @@ let caddy = nixpkgs-unstable.caddy; in
     ];
   };
 
+  age.secrets.caddy_s3_key_secret.file = ../../secrets/caddy_s3_key_secret.age;
+
+  systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.caddy_s3_key_secret.path;
   services.caddy = {
     enable = true;
     package = caddy;
     configFile = pkgs.writeTextFile {
       name = "Caddyfile";
       text = (
+        builtins.readFile ./base.Caddyfile +
         ''
-          {
-              email nilstrieb@proton.me
-              auto_https disable_redirects
-          }
-
-          http:// {
-            respond "This is an HTTPS-only server, silly you. Go to https:// instead." 418
-          }
-
           ${config.networking.hostName}.infra.noratrieb.dev {
               encode zstd gzip
               header -Last-Modified
@@ -37,29 +45,33 @@ let caddy = nixpkgs-unstable.caddy; in
                 inherit pkgs lib;
               }}
               file_server {
-                etag_file_extensions .sha256
-                precompressed zstd gzip br
+                  etag_file_extensions .sha256
+                  precompressed zstd gzip br
               }
           }
 
           ${
-            if name == "vps1" then
-            builtins.readFile ./Caddyfile + ''
-              noratrieb.dev {
-                  encode zstd gzip
-                  header -Last-Modified
-                  root * ${import ./caddy-static-prepare {
-                    name = "website";
-                    src = website { inherit pkgs slides blog; };
-                    inherit pkgs lib;
-                  }}
-                  file_server {
+            if name == "vps1" || name == "vps3" || name == "vps4" then ''
+            noratrieb.dev {
+                encode zstd gzip
+                header -Last-Modified
+                root * ${import ./caddy-static-prepare {
+                  name = "website";
+                  src = website { inherit pkgs slides blog; };
+                  inherit pkgs lib;
+                }}
+                file_server {
                     etag_file_extensions .sha256
                     precompressed zstd gzip br
-                  }
-              }
+                }
+            }
             '' else ""
           }
+
+          ${
+            if name == "vps1" then
+            builtins.readFile ./Caddyfile else ""
+          }
         ''
       );
       checkPhase = ''