Note required nix sandbox config in the readme

README.org

@@ -44,3 +44,8 @@ shutdown -h now
 
 Deploying is simply a matter of entering the deploy nix shell =nix develop= and
 =deploy .#golgi.system=.
+
+In order for this image to be built, the sandbox will need to be set to =false= or
+=relaxed= (for the custom zsh and Caddy builds). This can  be done by adding the
+line ~sandbox = relaxed~ to =/etc/nix/nix.conf=. Just note that the nix-daemon will
+need to be restarted for this new setting to take full effect.

modules/caddy.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 
@@ -11,6 +11,11 @@ with lib;
   services.caddy = mkMerge [
     {
       enable = true;
+      package = pkgs.callPackage ../packages/caddy.nix {
+        plugins = [
+          "github.com/tecosaur/caddy-fs-git"
+        ];
+      };
       virtualHosts."tecosaur.net".extraConfig = ''
 respond "__        __   _
 \ \      / /__| | ___ ___  _ __ ___   ___

packages/caddy.nix

@@ -0,0 +1,37 @@
+{ config, pkgs, plugins, ... }:
+
+with pkgs;
+
+stdenv.mkDerivation rec {
+  # Disable the Nix build sandbox for this specific build.
+  # This means the build can freely talk to the Internet.
+  # Requires the sandbox to be set to false/"relaxed".
+  __noChroot = true;
+  pname = "caddy";
+  # https://github.com/NixOS/nixpkgs/issues/113520
+  version = "latest";
+  dontUnpack = true;
+
+  nativeBuildInputs = [ git go xcaddy ];
+
+  configurePhase = ''
+    export GOCACHE=$TMPDIR/go-cache
+    export GOPATH="$TMPDIR/go"
+  '';
+
+  buildPhase = let
+    pluginArgs = lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins;
+  in ''
+    runHook preBuild
+    ${xcaddy}/bin/xcaddy build latest ${pluginArgs}
+    runHook postBuild
+  '';
+
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/bin
+    mv caddy $out/bin
+    runHook postInstall
+  '';
+}