{ pkgs, config, ... }:

{
  services.nix-serve = {
    enable = true;
    secretKeyFile = "/var/lib/cache/priv-key.pem";
  };

  services.nginx = {
    virtualHosts = {
      "cache.${config.networking.domain}" = {
        locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
      };
    };
  };

  hpc.hostFile.aliases = [
    "cache.${config.networking.domain}"
  ];

  system.activationScripts."generate-binary-cache-key" = ''
    if ! [ -f "/var/lib/cache/priv-key.pem" ]; then
      mkdir -pv /var/lib/cache
      ${pkgs.nix}/bin/nix-store --generate-binary-cache-key \
         "cache.${config.networking.domain}" \
         /var/lib/cache/priv-key.pem \
         /var/lib/cache/pub-key.pem
     fi
  '';

  gather.parts."cache/key" = {
    name = "cache-pub-key.pem";
    file = "/var/lib/cache/pub-key.pem";
  };
}