diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
index 1b33e663a98db..a3ca9fd0300af 100644
--- a/nixos/doc/manual/release-notes/rl-2505.section.md
+++ b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -160,6 +160,21 @@
 
 - `bind.cacheNetworks` now only controls access for recursive queries, where it previously controlled access for all queries.
 
+- Caddy can now be built with plugins by using `caddy.withPlugins`, a `passthru` function that accepts an attribute set as a parameter. The `plugins` argument represents a list of Caddy plugins, with each Caddy plugin being a versioned module. The `hash` argument represents the `vendorHash` of the resulting Caddy source code with the plugins added.
+
+  Example:
+  ```nix
+  services.caddy = {
+    enable = true;
+    package = pkgs.caddy.withPlugins {
+      plugins = [ "github.com/caddy-dns/powerdns@v1.0.1" ];
+      hash = "sha256-F/jqR4iEsklJFycTjSaW8B/V3iTGqqGOzwYBUXxRKrc=";
+    };
+  };
+  ```
+
+  To get the necessary hash of the vendored dependencies, omit `hash`. The build will fail and tell you the correct value.
+
 - `programs.fzf.keybindings` now supports the fish shell.
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
diff --git a/pkgs/by-name/ca/caddy/package.nix b/pkgs/by-name/ca/caddy/package.nix
index d6832d396c773..5a07a76181cff 100644
--- a/pkgs/by-name/ca/caddy/package.nix
+++ b/pkgs/by-name/ca/caddy/package.nix
@@ -1,11 +1,16 @@
 { lib
 , buildGoModule
+, callPackage
 , fetchFromGitHub
 , nixosTests
 , caddy
 , testers
 , installShellFiles
 , stdenv
+, go
+, xcaddy
+, cacert
+, git
 }:
 let
   version = "2.8.4";
@@ -32,7 +37,8 @@ buildGoModule {
   subPackages = [ "cmd/caddy" ];
 
   ldflags = [
-    "-s" "-w"
+    "-s"
+    "-w"
     "-X github.com/caddyserver/caddy/v2.CustomVersion=${version}"
   ];
 
@@ -61,12 +67,15 @@ buildGoModule {
       --zsh <($out/bin/caddy completion zsh)
   '';
 
-  passthru.tests = {
-    inherit (nixosTests) caddy;
-    version = testers.testVersion {
-      command = "${caddy}/bin/caddy version";
-      package = caddy;
+  passthru = {
+    tests = {
+      inherit (nixosTests) caddy;
+      version = testers.testVersion {
+        command = "${caddy}/bin/caddy version";
+        package = caddy;
+      };
     };
+    withPlugins = callPackage ./plugins.nix { inherit caddy; };
   };
 
   meta = with lib; {
diff --git a/pkgs/by-name/ca/caddy/plugins.nix b/pkgs/by-name/ca/caddy/plugins.nix
new file mode 100644
index 0000000000000..790c1180be676
--- /dev/null
+++ b/pkgs/by-name/ca/caddy/plugins.nix
@@ -0,0 +1,80 @@
+{
+  lib,
+  stdenv,
+  go,
+  xcaddy,
+  cacert,
+  git,
+  caddy,
+}:
+{
+  plugins,
+  hash ? lib.fakeHash,
+}:
+let
+  pluginsSorted = lib.sort lib.lessThan plugins;
+  pluginsList = lib.concatMapStrings (plugin: "${plugin}-") pluginsSorted;
+  pluginsHash = builtins.hashString "md5" pluginsList;
+  pluginsWithoutVersion = lib.filter (p: !lib.hasInfix "@" p) pluginsSorted;
+in
+assert lib.assertMsg (
+  lib.length pluginsWithoutVersion == 0
+) "All plugins should have a version (eg ${lib.elemAt pluginsWithoutVersion 0}@x.y.z)!";
+caddy.overrideAttrs (
+  finalAttrs: prevAttrs: {
+    vendorHash = null;
+    subPackages = [ "." ];
+
+    src = stdenv.mkDerivation {
+      pname = "caddy-src-with-plugins-${pluginsHash}";
+      version = finalAttrs.version;
+
+      nativeBuildInputs = [
+        go
+        xcaddy
+        cacert
+        git
+      ];
+      dontUnpack = true;
+      buildPhase =
+        let
+          withArgs = lib.concatMapStrings (plugin: "--with ${plugin} ") pluginsSorted;
+        in
+        ''
+          export GOCACHE=$TMPDIR/go-cache
+          export GOPATH="$TMPDIR/go"
+          XCADDY_SKIP_BUILD=1 TMPDIR="$PWD" xcaddy build v${finalAttrs.version} ${withArgs}
+          (cd buildenv* && go mod vendor)
+        '';
+      installPhase = ''
+        mv buildenv* $out
+      '';
+
+      outputHashMode = "recursive";
+      outputHash = hash;
+      outputHashAlgo = "sha256";
+    };
+
+    doInstallCheck = true;
+    installCheckPhase = ''
+      runHook preInstallCheck
+
+      ${lib.toShellVar "notfound" pluginsSorted}
+      while read kind module version; do
+        [[ "$kind" = "dep" ]] || continue
+        module="''${module}@''${version}"
+        for i in "''${!notfound[@]}"; do
+          if [[ ''${notfound[i]} = ''${module} ]]; then
+            unset 'notfound[i]'
+          fi
+        done
+      done < <($out/bin/caddy build-info)
+      if (( ''${#notfound[@]} )); then
+        >&2 echo "Plugins not found: ''${notfound[@]}"
+        exit 1
+      fi
+
+      runHook postInstallCheck
+    '';
+  }
+)