{ config, pkgs, ... }:

{

  services.harmonia = {
    enable = true;
    settings.bind = "[::1]:5005";
  };

  systemd.services.harmonia = {
    environment = {
      SIGN_KEY_PATHS = "%d/key1 %d/key2";
    };
    serviceConfig = {
      LoadCredential = [
        "key1:${config.sops.secrets."sign-key-nix-cache.clerie.de".path}"
        "key2:${config.sops.secrets."sign-key-cache.nix.clerie.de".path}"
      ];
    };
  };

  services.nginx.virtualHosts = {
    "nix-cache.clerie.de" = {
      enableACME = true;
      forceSSL = true;
      locations."= /" = {
        index = "/index.txt";
      };
      locations."= /index.txt" = {
        root = ./cache.nix.clerie.de;
      };
      locations."/" = {
        proxyPass = "http://[::1]:5005";
        extraConfig = ''
          proxy_redirect http:// https://;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $connection_upgrade;
        '';
      };
    };
    "cache.nix.clerie.de" = {
      enableACME = true;
      forceSSL = true;
      locations."= /" = {
        index = "/index.txt";
      };
      locations."= /index.txt" = {
        root = ./cache.nix.clerie.de;
      };
      locations."= /nix/store/" = {
        extraConfig = ''
          return 404;
        '';
      };
      locations."/nix/store/" = {
        root = "/";
        extraConfig = ''
          autoindex on;
          autoindex_exact_size off;
        '';
      };
      locations."/" = {
        proxyPass = "http://[::1]:5005";
        extraConfig = ''
          proxy_redirect http:// https://;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $connection_upgrade;
        '';
      };
    };
  };

}