{ config, ... }:

{
  services.nix-serve = {
    enable = true;
    secretKeyFile = config.sops.secrets."cache/key".path;
  };

  services.nginx = {
    enable = true;
    virtualHosts."cache.${config.networking.domain}" = {
      locations."/".proxyPass = with config.services.nix-serve;
        "http://${bindAddress}:${toString port}";
    };
  };

  sops.secrets."cache/key" = {
    sopsFile = ./secrets/cache.key;
    format = "binary";
  };
}