diff --git a/flake.nix b/flake.nix
index 0a5ff09..9cf6c95 100644
--- a/flake.nix
+++ b/flake.nix
@@ -125,9 +125,7 @@
       pkgs = import nixpkgs {
         localSystem = system;
         config.allowUnfree = true;
-        overlays = [
-          microvm.overlay
-        ];
+        overlays = [microvm.overlay] ++ import ./pkgs/default.nix;
       };
 
       apps =
diff --git a/hosts/sentinel/acme.nix b/hosts/sentinel/acme.nix
new file mode 100644
index 0000000..8020915
--- /dev/null
+++ b/hosts/sentinel/acme.nix
@@ -0,0 +1,21 @@
+{config, ...}: let
+  inherit (config.repo.secrets.local) acme;
+in {
+  rekey.secrets.acme-credentials = {
+    file = ./secrets/acme-credentials.age;
+    mode = "440";
+    group = "acme";
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      inherit (acme) email;
+      credentialsFile = config.rekey.secrets.acme-credentials.path;
+      dnsProvider = "cloudflare";
+      dnsPropagationCheck = true;
+      reloadServices = ["nginx"];
+    };
+  };
+  extra.acme.wildcardDomains = acme.domains;
+}
diff --git a/hosts/sentinel/caddy.nix b/hosts/sentinel/caddy.nix
index 61fac78..ad17ddc 100644
--- a/hosts/sentinel/caddy.nix
+++ b/hosts/sentinel/caddy.nix
@@ -2,30 +2,12 @@
   config,
   lib,
   nodes,
+  pkgs,
   ...
 }: let
   inherit (config.repo.secrets.local) acme personalDomain;
 in {
-  networking.domain = personalDomain;
-
-  rekey.secrets.acme-credentials = {
-    file = ./secrets/acme-credentials.age;
-    mode = "440";
-    group = "acme";
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      inherit (acme) email;
-      credentialsFile = config.rekey.secrets.acme-credentials.path;
-      dnsProvider = "cloudflare";
-      dnsPropagationCheck = true;
-      reloadServices = ["nginx"];
-    };
-  };
-  extra.acme.wildcardDomains = acme.domains;
-  users.groups.acme.members = ["nginx"];
+  users.groups.acme.members = ["caddy"];
 
   rekey.secrets."dhparams.pem" = {
     file = ./secrets/dhparams.pem.age;
@@ -41,5 +23,15 @@ in {
     lokiDomain = "loki.${personalDomain}";
     lokiPort = toString nodes.ward-loki.config.services.loki.settings.server.http_port;
   in {
+    enable = true;
+    package = pkgs.caddy.withPackages {
+      plugins = [
+        {
+          name = "github.com/greenpau/caddy-security";
+          version = "v1.1.18";
+        }
+      ];
+      vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k";
+    };
   };
 }
diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix
index e528396..ec33b02 100644
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@@ -12,7 +12,8 @@
 
     ./fs.nix
     ./net.nix
-    #./nginx.nix
+    ./acme.nix
     ./caddy.nix
+    #./nginx.nix
   ];
 }
diff --git a/hosts/sentinel/net.nix b/hosts/sentinel/net.nix
index cff7a1e..6598d50 100644
--- a/hosts/sentinel/net.nix
+++ b/hosts/sentinel/net.nix
@@ -5,6 +5,7 @@
   ...
 }: {
   networking.hostId = config.repo.secrets.local.networking.hostId;
+  networking.domain = config.repo.secrets.local.personalDomain;
 
   boot.initrd.systemd.network = {
     enable = true;
diff --git a/hosts/sentinel/nginx.nix b/hosts/sentinel/nginx.nix
index c3c5104..c9ea59d 100644
--- a/hosts/sentinel/nginx.nix
+++ b/hosts/sentinel/nginx.nix
@@ -6,8 +6,6 @@
 }: let
   inherit (config.repo.secrets.local) acme personalDomain;
 in {
-  networking.domain = personalDomain;
-
   rekey.secrets.acme-credentials = {
     file = ./secrets/acme-credentials.age;
     mode = "440";
diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index c69918e..4f3e0c9 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -234,6 +234,7 @@ in {
     lib,
     config,
     parentNodeName,
+    utils,
     ...
   }: {
     rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno";
diff --git a/pkgs/caddy.nix b/pkgs/caddy.nix
new file mode 100644
index 0000000..3964002
--- /dev/null
+++ b/pkgs/caddy.nix
@@ -0,0 +1,49 @@
+final: prev: let
+  inherit
+    (final.lib)
+    escapeShellArg
+    concatMapStrings
+    flatten
+    flip
+    ;
+
+  make-custom-caddy = {
+    plugins,
+    vendorHash,
+  }: let
+    caddyPatchMain =
+      flip concatMapStrings plugins
+      ({name, ...}: "sed -i '/plug in Caddy modules here/a \\\\t_ \"${name}\"' cmd/caddy/main.go\n");
+    caddyPatchGoGet =
+      flip concatMapStrings plugins
+      ({
+        name,
+        version,
+      }: "go get ${escapeShellArg name}@${escapeShellArg version}\n");
+  in
+    prev.caddy.override {
+      buildGoModule = args:
+        prev.buildGoModule (args
+          // {
+            inherit vendorHash;
+            passthru.plugins = plugins;
+
+            overrideModAttrs = _: {
+              preBuild = caddyPatchGoGet;
+              postInstall = "cp go.mod go.sum $out/";
+            };
+
+            postPatch = caddyPatchMain;
+            postConfigure = "cp vendor/go.mod vendor/go.sum .";
+          });
+    };
+in {
+  # Example usage:
+  # caddy.withPackages {
+  #   plugins = [
+  #     { name = "github.com/greenpau/caddy-security"; version = "v1.1.18"; }
+  #   ];
+  #   vendorHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+  # }
+  caddy = prev.caddy.overrideAttrs (_: {passthru.withPackages = make-custom-caddy;});
+}
diff --git a/pkgs/default.nix b/pkgs/default.nix
new file mode 100644
index 0000000..6235587
--- /dev/null
+++ b/pkgs/default.nix
@@ -0,0 +1,3 @@
+[
+  (import ./caddy.nix)
+]