Move confess-web to its own file

services/confess.nix

@@ -0,0 +1,28 @@
+{ config, inputs, ... }: {
+  imports = [
+    inputs.confess.nixosModules.default
+  ];
+
+  services = {
+    confess-web = {
+      enable = true;
+      port = 8011;
+      reverseProxy = true;
+      trustedProxy = "127.0.0.1";
+      environmentFile = "/etc/secrets/confess.env";
+    };
+
+    borgbackup.jobs."borgbase".paths = [
+      "/var/lib/confess-web"
+    ];
+
+    caddy.virtualHosts."confess.catnip.ee".extraConfig = ''
+      tls {
+        dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+        resolvers 1.1.1.1
+      }
+
+      reverse_proxy :${toString config.services.confess-web.port}
+    '';
+  };
+}