{ lib, config, ... }:

let

  inherit (config.pbsds.nginx) mkDomain;

  /**
    filter-caches :: [str] -> [str]
  */
  filter-caches =
    let
      blacklist = [
        "https://cache.nixos.org/"
        "http://${config.services.ncps.server.addr}"
        "http://${config.services.ncps.cache.hostName}"
        "https://${config.services.ncps.cache.hostName}"
      ];
    in
    lib.filter (cacheAddr: !(builtins.elem cacheAddr blacklist));

in

{

  # based on
  # - https://discourse.nixos.org/t/announcing-ncps-a-nix-cache-proxy-server-for-faster-builds/58166
  # - https://github.com/kalbasit/ncps
  # - https://search.nixos.org/options?query=services.ncps
  # - https://github.com/msfjarvis/dotfiles/blob/2dc0b9abc40b6af757b18f3f687fe205c96ef87c/modules/nixos/ncps/default.nix
  # - https://github.com/Ramblurr/nixcfg/blob/2901418935895f86ea84a881e5571813c6370f11/hosts/mali/ncps.nix
  # - https://github.com/numinit/MeshOS/blob/e30e3902a8d6d63d5eda031f58aff8c0b6bc9c94/nixos/modules/caches.nix

  services.domeneshop-updater.targets = lib.mkIf config.services.ncps.enable [
    config.services.ncps.cache.hostName
  ];

  services.ncps = {
    enable = !config.virtualisation.isVmVariant;
    # logLevel = "info"; # default is "info"
    server.addr = "127.0.0.1:8876";
    # prometheus.enable = true;

    cache = {
      hostName = "cache-proxy.pbsds.net";
      # hostName = mkDomain "cache-proxy";
      # hostName = config.pbsds.tailscale.fqdn;

      dataPath = "/mnt/meconium/blob/ncps"; # will be automatically chowned (systemd ReadWritePaths)
      # tempPath = ""; # defaults to "/tmp"
      maxSize = "50G";
      # TODO:
      secretKeyPath = TODO; # config.sops.secrets.ncps-private-key.path;

      allowPutVerb = false;
      allowDeleteVerb = false;
      # lru = { scheduleTimeZone = "Europe/Oslo"; schedule = "00 08 * * *"; }; # 8 AM daily
    };

    upstream.caches = filter-caches config.nix.settings.trusted-substituters;
    upstream.publicKeys = config.nix.settings.trusted-public-keys;
  };

  services.nginx.virtualHosts.${config.services.ncps.cache.hostName} = {
    # addSSL = true;
    forceSSL = true;
    addSSL = true;
    enableACME = true; # useACMEHost = acmeDomain;
    # serverAliases = [ "binarycache" ];
    # serverAliases = [ config.pbsds.tailscale.fqdn ];
    locations."/" = {
      inherit (config.pbsds.nginx.allowList) extraConfig;
      # proxyPass = "http://localhost:${toString config.services.nix-serve.port}";
    };
  };

}