{ lib, config, pkgs, ... }:

{
    services = {
      hydra = {
        enable = true;
        hydraURL = "https://hydra.ci.kabtop.de";
        listenHost = "127.0.0.1";
        port = 3001;
        notificationSender = "hydra@kabtop.de";
        useSubstitutes = true;
        minimumDiskFree = 50;
	maxServers = 10;
      };
      nix-serve = {
          enable = true;
          port = 5001;
          bindAddress = "127.0.0.1";
          secretKeyFile = config.age.secrets."keys/nixsign".path;
      };
      nginx = {
        enable = true;
        recommendedProxySettings = true;
        recommendedTlsSettings = true;
        recommendedGzipSettings = true;
        recommendedOptimisation = true;
        virtualHosts = {
          "ci.kabtop.de" = {
            enableACME = true;
            forceSSL = true;
            default = true;
            locations."/".return = "503";
          };
          "hydra.ci.kabtop.de" = {
            enableACME = true;
            forceSSL = true;
            locations."/" = {
              proxyPass = "http://localhost:3001";
              extraConfig = ''
                proxy_set_header X-Forwarded-Port 443;
              '';
            };
          };
          "cache.ci.kabtop.de" = {
            enableACME = true;
            forceSSL = true;
            locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
          };
        };
      };
    };

    nix = {
      settings = {
        cores = 5;
	max-jobs = 1;
        trusted-users = [
          "hydra"
        ];
        allowed-uris = [
	  "github:"
	  "https://github.com/"
  	  "git+ssh://github.com/"
  	];
      };

      extraOptions = ''
        secret-key-files = ${config.age.secrets."keys/nixsign".path}
      '';
    };
    
    age.secrets."keys/nixsign" = {
      file = ../../../secrets/keys/nixservepriv.age;
      owner = "hydra";
    };

}