{ config, pkgs, ... }:

{
  # Generate the binary cache key pair on the nix-cache host:
  #   sudo install -d -m 0700 /etc/nix
  #   sudo nix-store --generate-binary-cache-key nix-cache-1 \
  #     /etc/nix/cache-priv.pem \
  #     /etc/nix/cache-pub.pem
  #   sudo chmod 0600 /etc/nix/cache-priv.pem
  #   sudo chmod 0644 /etc/nix/cache-pub.pem
  #   cat /etc/nix/cache-pub.pem
  services.nix-serve = {
    enable = true;
    secretKeyFile = "/etc/nix/cache-priv.pem";
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts."nix-cache" = {
      locations."/" = {
        proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 ];

  users.groups.nixremote = {};

  users.users.nixremote = {
    isSystemUser = true;
    group = "nixremote";
    createHome = true;
    home = "/var/lib/nixremote";
    shell = pkgs.bashInteractive;
    # Provide remote builder public keys here (safe to commit public keys only):
    # openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAA... client@host" ];
    #
    # Avoid absolute keyFiles paths here because they break pure flake evaluation.
    openssh.authorizedKeys.keys = [ ];
  };

  services.openssh.enable = true;

  nix.settings = {
    trusted-users = [ "root" "nixremote" ];
    experimental-features = [ "nix-command" "flakes" ];
    auto-optimise-store = true;
    builders-use-substitutes = true;
  };

  nix.gc = {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 30d";
  };
}