{ config, pkgs, ... }:

{

  services.harmonia = {
    enable = true;
    settings.bind = "[::1]:5005";
    signKeyPath = config.sops.secrets.nix-cache-key.path;
  };

  services.nginx.virtualHosts = {
    "nix-cache.clerie.de" = {
      enableACME = true;
      forceSSL = true;
      locations."= /" = {
        index = "/index.txt";
      };
      locations."= /index.txt" = {
        root = ./cache.nix.clerie.de;
      };
      locations."/" = {
        proxyPass = "http://[::1]:5005";
        extraConfig = ''
          proxy_redirect http:// https://;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $connection_upgrade;
        '';
      };
    };
    "cache.nix.clerie.de" = {
      enableACME = true;
      forceSSL = true;
      locations."= /" = {
        index = "/index.txt";
      };
      locations."= /index.txt" = {
        root = ./cache.nix.clerie.de;
      };
      locations."= /nix/store/" = {
        extraConfig = ''
          return 404;
        '';
      };
      locations."/nix/store/" = {
        root = "/";
        extraConfig = ''
          autoindex on;
          autoindex_exact_size off;
        '';
      };
      locations."/" = {
        proxyPass = "http://[::1]:5005";
        extraConfig = ''
          proxy_redirect http:// https://;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $connection_upgrade;
        '';
      };
    };
  };

}