{ lib, config, ... }:
let
  listenIPs = (import ../../utils/getInternalIP.nix config).listenIPs;
  listenStatements = lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs) + ''
    add_header Alt-Svc 'h3=":443"';
  '';
in
{
  services.nix-serve = {
    bindAddress = "127.0.0.1";
    enable = true;
    secretKeyFile = "/var/cache-priv-key.pem";
  };
  services.nginx.virtualHosts."cache.int.chir.rs" = {
    listenAddresses = listenIPs;
    sslCertificate = "/var/lib/acme/int.chir.rs/cert.pem";
    sslCertificateKey = "/var/lib/acme/int.chir.rs/key.pem";
    locations."/" = {
      proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
      proxyWebsockets = true;
    };
    extraConfig = listenStatements;
  };
}