{ config, pkgs, ... }:

{
  sops.secrets."nix-serve/secretKey".mode = "0444";
  # Nix binary cache
  services.nix-serve = {
    enable = true;
    # secretKeyFile = config.sops.secrets."nix-serve/secretKey".path;
  };
  # nix-serve requires a $HOME.
  # also, systemd's LoadCredential mechanism doesn't work here.
  systemd.services.nix-serve.serviceConfig.Environment = "HOME=%S NIX_SECRET_KEY_FILE=${config.sops.secrets."nix-serve/secretKey".path}";

  # Nix binary cache thru reverse proxy for HTTPS
  services.nginx.virtualHosts."nix-serve.hq.c3d2.de" = {
    forceSSL = true;
    enableACME = true;
    locations."/".extraConfig = ''
      proxy_pass http://127.0.0.1:${toString config.services.nix-serve.port};
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    '';
  };

}