{ config, ... }:

{
  services.nix-serve = {
    enable = true;
    secretKeyFile = config.sops.secrets."cache/privateKey".path;
  };

  sops.secrets."cache/privateKey" = {
    format = "binary";
    sopsFile = ../../secrets/cache-priv-key.pem;
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "cache.${config.networking.domain}" = {
        locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
      };
    };
  };

  hpc.hostFile.aliases = [
    "cache.${config.networking.domain}"
  ];
}