{ config, lib, ... }:
let
  cfg = config.custom.services.nixCacheClient;
in
{
  options.custom.services.nixCacheClient = {
    enable = lib.mkEnableOption "Nix HTTPS cache client";
    remoteBuilds = {
      additional = lib.mkEnableOption "remote builds over SSH in addition to local";
      exclusive = lib.mkEnableOption "remote builds over SSH instead of local";
    };
  };

  config = lib.mkIf cfg.enable {
    nix = {
      buildMachines = lib.mkIf (cfg.remoteBuilds.additional || cfg.remoteBuilds.exclusive) [
        {
          hostName = "cache.sinerva.eu";
          maxJobs = 4;
          protocol = "ssh";
          speedFactor = 10;
          sshUser = "nix-ssh";
          supportedFeatures = [
            "kvm"
            "nixos-test"
            "big-parallel"
            "benchmark"
          ];
          systems = [
            "x86_64-linux"
            "aarch64-linux"
          ];
        }
      ];
      distributedBuilds = true;
      settings = {
        substituters = [ "https://cache.sinerva.eu" ];
        trusted-public-keys = [ "cache.sinerva.eu:TaIhyAKozO/r88EBWMSdbp+TB0YlcXT/EADunYoYLVc=" ];
        builders-use-substitutes = lib.mkIf (
          cfg.remoteBuilds.additional || cfg.remoteBuilds.exclusive
        ) true;
        max-jobs = lib.mkIf cfg.remoteBuilds.exclusive 0;
      };
    };
    services.openssh.knownHosts."cache.sinerva.eu".publicKey = config.custom.sshKeys.ci;

    programs.ssh.extraConfig = ''
      Host cache.sinerva.eu
        IdentityFile /etc/ssh/ssh_host_ed25519_key
    '';
  };
}