{ domain, ... }:
{ lib, config, hostName, ... }:
let
  inherit (config.security) gnupg;
  inherit (config.services) nginx nix-serve;
  inherit (config.users) users groups;
  srv = "nix-serve";
in
{
  nix.settings.trusted-users = [ users."nix-serve".name ];
  users.users."nix-serve" = {
    isSystemUser = true;
    group = groups."nix-serve".name;
    extraGroups = [ groups."keys".name ];
  };
  users.groups."nix-serve" = { };
  security.gnupg.secrets."nix/binary-cache-key/1" = {
    user = users."nix-serve".name;
    systemdConfig = {
      before = [ "nix-serve.service" ];
      wantedBy = [ "nix-serve.service" ];
    };
  };
  services.nix-serve = {
    enable = true;
    secretKeyFile = gnupg.secrets."nix/binary-cache-key/1".path;
    bindAddress = "127.0.0.1";
  };
  nix.settings.allowed-users = [ users."nix-ssh".name ];
  nix.sshServe = {
    enable = true;
    keys = users."julm".openssh.authorizedKeys.keys;
  };

  systemd.services.nginx.after = [ "wireguard-wg-intra.service" ];
  services.nginx =
    let
      virtualHost = priority:
        {
          extraConfig = ''
            #access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
            #error_log  /var/log/nginx/${domain}/${srv}/error.log warn;
            access_log off;
            error_log  /dev/null crit;
          '';
          locations."/nix-cache-info" = {
            # cache.nixos.org has priority 40
            return = ''200 "StoreDir: ${builtins.storeDir}\nWantMassQuery: 1\nPriority: ${toString priority}\n"'';
            extraConfig = ''
              ${nginx.configs.https_add_headers}
              add_header Content-Type text/plain;
            '';
          };
          locations."/".extraConfig = ''
            proxy_pass http://localhost:${toString nix-serve.port};
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          '';
        };
    in
    {
      # cache.nixos.org has priority over extracache
      virtualHosts."nix-extracache.${hostName}.wg" = virtualHost 60 // {
        listenAddresses = [ "nix-extracache.${hostName}.wg" ];
        forceSSL = false;
      };
      # localcache has priority over cache.nixos.org
      virtualHosts."nix-localcache.${hostName}.wg" = virtualHost 30 // {
        listenAddresses = [ "nix-localcache.${hostName}.wg" ];
        forceSSL = false;
      };
    };
  systemd.services.nginx = {
    serviceConfig = {
      LogsDirectory = lib.mkForce [ "nginx/${domain}/${srv}" ];
    };
  };
}