{ config, pkgs, lib, ... }:
{
  # Binary cache server using nix-serve
  # Serves built packages to other hosts in the cluster for faster rebuilds
  #
  # Setup:
  # 1. Deploy this host first
  # 2. SSH in and get public key: cat /persist/nix-cache/cache-pub-key.txt
  # 3. Add that key to common/global/nix.nix in trusted-public-keys
  # 4. Deploy all other hosts to pick up the cache

  # Ensure cache directory is persisted
  environment.persistence."/persist".directories = [
    { directory = "/var/nix-cache"; user = "nix-serve"; group = "nix-serve"; mode = "0755"; }
  ];

  # Auto-generate cache keys on first boot
  systemd.services.nix-cache-key-init = {
    description = "Generate binary cache keys if missing";
    wantedBy = [ "multi-user.target" ];
    before = [ "nix-serve.service" ];
    path = [ pkgs.nix ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    script = ''
      CACHE_DIR="/persist/nix-cache"
      mkdir -p "$CACHE_DIR"

      if [ ! -f "$CACHE_DIR/cache-priv-key.pem" ]; then
        echo "Generating binary cache key pair..."
        nix-store --generate-binary-cache-key ${config.networking.hostName}-cache "$CACHE_DIR/cache-priv-key.pem" "$CACHE_DIR/cache-pub-key.txt"
        chmod 600 "$CACHE_DIR/cache-priv-key.pem"
        chmod 644 "$CACHE_DIR/cache-pub-key.txt"
        echo "Binary cache keys generated at $CACHE_DIR"
        echo "Public key:"
        cat "$CACHE_DIR/cache-pub-key.txt"
      fi
    '';
  };

  # Enable nix-serve
  services.nix-serve = {
    enable = true;
    secretKeyFile = "/persist/nix-cache/cache-priv-key.pem";
    bindAddress = "0.0.0.0";
    port = 5000;
  };

  # Open firewall for LAN access
  networking.firewall.allowedTCPPorts = [ 5000 ];
}