{ lib, config, pkgs, ... }:

{
    services = {
      hydra = {
        enable = true;
        hydraURL = "hydra.home.opel-online.de";
        listenHost = "localhost";
        notificationSender = "hydra@localhost";
        useSubstitutes = true;
      };
      nix-serve = {
          enable = true;
          port = 5001;
          secretKeyFile = config.age.secrets."keys/nixsign".path;
      };
      nginx = {
        enable = true;
        virtualHosts = {
          "${config.services.hydra.hydraURL}" = {
            enableACME = true;
            forceSSL = true;
            listen = [ {
                addr = "127.0.0.1"; port = 3000;
            } ];
          };
        };
      };
    };

    security.acme = {
      defaults.email = "webmaster@kabtop.de";
      defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
      acceptTerms = true;
      certs.${config.services.hydra.hydraURL} = {
        dnsProvider = "netcup";
        environmentFile = config.age.secrets."services/acme/opel-online".path;
        webroot = null;
      };
    };
    
    nix = {
      settings.trusted-users = [
        "hydra"
      ];

      extraOptions = ''
        secret-key-files = ${config.age.secrets."keys/nixsign".path}
      '';
    };
    
    age.secrets."keys/nixsign" = {
      file = ../../../secrets/keys/nixservepriv.age;
      owner = "hydra";
    };
    age.secrets."services/acme/opel-online" = {
      file = ../../../services/acme/opel-online.age;
      owner = "acme";
    };


}