# the public key for the current iteration of this cache is:
# cache.rnrd.eu-1:6Q2MPTZ6ycAzWcc0VzXR+pKRlJ+6kfdQfj6iRsN5s1I=

{ config, unstablePkgs, ... }:

let
  inherit (config.age) secrets;

  cachePort = 3138;
in
{
  age.secrets.binary-cache-key = {
    file = ../secrets/binary-cache-key.age;
  };

  services = {
    harmonia = {
      enable = true;
      # 24.11 does not include built-in zstd compression for harmonia yet.
      package = unstablePkgs.harmonia;
      signKeyPaths = [ secrets.binary-cache-key.path ];

      settings = {
        bind = "127.0.0.1:${toString cachePort}";
        workers = 6;
        priority = 33;
      };
    };

    nginx.virtualHosts."cache.rnrd.eu" = {
      useACMEHost = "rnrd.eu";
      forceSSL = true;

      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cachePort}";
        # i'm not sure whether harmonia actually does anything
        # with websockets, but their example includes nginx settings
        # that can be toggled on with this setting.
        # see: https://github.com/nix-community/harmonia#configuration-for-public-binary-cache-on-nixos
        proxyWebsockets = true;
      };

      extraConfig = ''
        proxy_redirect http:// https://;
        access_log /var/log/nginx/cache.access.log json_combined;
      '';
    };
  };
}