{ config, lib, ... }:
let
  cfg = config.custom.services.nixCacheServer;
in
{
  options.custom.services.nixCacheServer.enable = lib.mkEnableOption "Nix SSH cache server";

  config = lib.mkIf cfg.enable {
    sops.secrets.priv-cache-key.sopsFile = ../../secrets/ci.yaml;

    nix = {
      extraOptions = ''
        secret-key-files = ${config.sops.secrets.priv-cache-key.path}
      '';

      sshServe = {
        enable = true;
        write = true;
        keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNhPvGogPY/O6kIqrpbz0EcK4L5QQShvD+vuyk7FxFd root@cert-store"
        ];
      };
    };

    # Added because we are opening up SSH to the world
    services.fail2ban = {
      enable = true;
      maxretry = 10;
      bantime = "10m";
      bantime-increment = {
        enable = true;
        maxtime = "1d";
      };
      jails = {
        DEFAULT.settings = {
          findtime = 3600;
        };
      };
    };
  };
}