{ config, lib, pkgs, ... }: {
  # Caddy serves tyrolize.ch and 301-redirects lize.ch to it.
  # TLS certs auto-provisioned via Let's Encrypt (HTTP-01 challenge), which
  # requires the apex DNS A/AAAA records to already point at this VM.

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.caddy = {
    enable = true;
    email = "tyro@lize.ch";   # Let's Encrypt account contact

    virtualHosts."tyrolize.ch" = {
      extraConfig = ''
        root * ${../sites/tyrolize.ch}
        file_server
        encode gzip zstd
      '';
    };

    virtualHosts."lize.ch" = {
      extraConfig = ''
        redir https://tyrolize.ch{uri} permanent
      '';
    };
  };
}