{ config, lib, ... }:
let
  cfg = config.custom.services.nixCacheServer;
  cacheDomain = "cache.sinerva.eu";
in
{
  options.custom.services.nixCacheServer.enable = lib.mkEnableOption "Nix SSH cache server";

  config = lib.mkIf cfg.enable {
    sops.secrets.priv-cache-key.sopsFile = ../../secrets/ci.yaml;

    services = {
      nix-serve = {
        enable = true;
        bindAddress = "127.0.0.2";
        port = 8081;
        secretKeyFile = config.sops.secrets.priv-cache-key.path;
      };

      nginx.virtualHosts = {
        ${cacheDomain}.locations."/" = {
          proxyPass = "http://127.0.0.2:8081";
        };
      };
    };

    nix = {
      extraOptions = ''
        secret-key-files = ${config.sops.secrets.priv-cache-key.path}
      '';

      sshServe = {
        enable = true;
        trusted = true;
        write = true;
        keys =
          let
            keys = config.custom.sshKeys;
          in
          [
            keys.borg
            keys.cert-store
            keys.forgejo
            keys.gaming
            keys.helium
            keys.idacloud
            keys.lithium
            keys.nextcloud
            keys.vaultwarden
          ];
      };
    };

    # Added because we are opening up SSH to the world
    services.fail2ban = {
      enable = true;
      maxretry = 10;
      bantime = "10m";
      bantime-increment = {
        enable = true;
        maxtime = "1d";
      };
      jails = {
        DEFAULT.settings = {
          findtime = 3600;
        };
      };
    };
  };
}