diff --git a/pkgs/caddy/package.nix b/pkgs/caddy/package.nix
new file mode 100644
index 0000000..82bbf18
--- /dev/null
+++ b/pkgs/caddy/package.nix
@@ -0,0 +1,15 @@
+# Caddy with Cloudflare DNS
+
+{
+  pkgs,
+  ...
+}:
+
+# Maintain a static version so that the plugin hash doesn't keep breaking
+(pkgs.caddy.override {
+  version = "2.10.2";
+}).withPlugins
+  {
+    plugins = [ "github.com/caddy-dns/cloudflare@v0.2.1" ];
+    hash = "sha256-AcWko5513hO8I0lvbCLqVbM1eWegAhoM0J0qXoWL/vI=";
+  }
diff --git a/platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare.nix b/platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare.nix
index 353f199..92e86c2 100644
--- a/platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare.nix
@@ -66,10 +66,7 @@ in
     nmasur.presets.services.caddy.cidrAllowlist = cloudflareIpRanges;
 
     # Tell Caddy to use Cloudflare DNS for ACME challenge validation
-    services.caddy.package = pkgs.caddy.withPlugins {
-      plugins = [ "github.com/caddy-dns/cloudflare@v0.2.1" ];
-      hash = "sha256-AcWko5513hO8I0lvbCLqVbM1eWegAhoM0J0qXoWL/vI=";
-    };
+    services.caddy.package = pkgs.nmasur.caddy;
     nmasur.presets.services.caddy.tlsPolicies = [
       {
         issuers = [