{
  config,
  pkgs,
  lib,
  ...
}:

# serge <3
# TODO: distributed (s)ccache (with redis?)

{
  programs.ccache.enable = true;
  programs.ccache.owner = "root"; # default
  programs.ccache.group = "nixbld"; # default

  programs.nix-required-mounts.enable = true;
  programs.nix-required-mounts.allowedPatterns."ccache" = {
    onFeatures = [
      "ccache"
      "sccache"
    ];
    paths = [
      config.programs.ccache.cacheDir
      "/var/cache/sccache" # TODO: upstream?
    ];
  };

  nix.settings.system-features = [
    "ccache"
    "sccache"
  ];

  # can be monitored with `nix-ccache --show-stats`
  systemd.tmpfiles.settings."50-ccache" =
    let
      tmp = rec {
        "d" = {
          user = config.programs.ccache.owner;
          group = config.programs.ccache.group;
          mode = "0770";
        };
        "Z" = d;
      };
    in
    {
      "/var/cache/ccache" = tmp;
      "/var/cache/sccache" = tmp;
    };

  # based on https://github.com/NixOS/nixpkgs/blob/d89fc19e405cb2d55ce7cc114356846a0ee5e956/nixos/modules/programs/ccache.nix#L49-L67
  security.wrappers.nix-sccache =
    let
      cfg = config.programs.ccache;
    in
    {
      inherit (cfg) owner group;
      setuid = false;
      setgid = true;
      source = pkgs.writeScript "nix-sccache.pl" ''
        #!${pkgs.perl}/bin/perl
        %ENV=( SCCACHE_DIR => '/var/cache/sccache' );
        sub untaint {
          my $v = shift;
          return '--version'        if $v eq '-V' || $v eq '--version';
          return '-s'               if $v eq '-s' || $v eq '--show-stats';
          return '--show-adv-stats' if $v eq '--show-adv-stats';
          return '-z'               if $v eq '-z' || $v eq '--zero-stats';
          exec('${lib.getExe pkgs.sccache}', '-h');
        }
        exec('${lib.getExe pkgs.sccache}', map { untaint $_ } @ARGV);
      '';
    };
}