{ config, lib, ... }:
with lib;
let
  cfg = config.eboskma.nix-serve;
in
{
  options.eboskma.nix-serve = { enable = mkEnableOption "nix-serve"; };

  config = mkIf cfg.enable {
    services.nix-serve = {
      enable = true;
      secretKeyFile = "/var/cache-priv-key.pem";
      bindAddress = "127.0.0.1";
    };

    systemd.tmpfiles.rules = [ "C /run/cache-priv-key.pem 400 nix-serve root - ${config.services.nix-serve.secretKeyFile}" ];

    services.nginx = {
      enable = true;
      recommendedProxySettings = true;
      virtualHosts = {
        "loki.datarift.nl" = {
          serverAliases = [ "loki" ];
          locations."/".proxyPass = "http://localhost:${toString config.services.nix-serve.port}";
        };
      };
    };

    networking.firewall.allowedTCPPorts = [ 80 ];
  };
}