{ pkgs, config, ... }:
let
  settingsFormat = pkgs.formats.toml { };

  dataDir = "/data/slow/tvix-store";

  store-config = {
    composition = {
      blobservices.default = {
        type = "objectstore";
        object_store_url = "file://${dataDir}/blob.objectstore";
        object_store_options = { };
      };
      directoryservices = {
        sled = {
          type = "sled";
          is_temporary = false;
          path = "${dataDir}/directory.sled";
        };
        object = {
          type = "objectstore";
          object_store_url = "file://${dataDir}/directory.objectstore";
          object_store_options = { };
        };
      };
      pathinfoservices = {
        infra = {
          type = "sled";
          is_temporary = false;
          path = "${dataDir}/pathinfo.sled";
        };
        infra-signing = {
          type = "keyfile-signing";
          inner = "infra";
          keyfile = config.age.secrets."tvix-store-infra-signing-key".path;
        };
      };
    };

    endpoints = {
      "127.0.0.1:8056" = {
        endpoint_type = "Http";
        blob_service = "default";
        directory_service = "object";
        path_info_service = "infra";
      };
      "127.0.0.1:8058" = {
        endpoint_type = "Http";
        blob_service = "default";
        directory_service = "object";
        path_info_service = "infra-signing";
      };
      # Add grpc for management and because it is nice
      "127.0.0.1:8057" = {
        endpoint_type = "Grpc";
        blob_service = "default";
        directory_service = "object";
        path_info_service = "infra";
      };
    };
  };
  systemdHardening = {
    PrivateDevices = true;
    PrivateTmp = true;
    ProtectControlGroups = true;
    ProtectKernelTunables = true;
    RestrictSUIDSGID = true;

    ProtectSystem = "strict";
    ProtectKernelLogs = true;
    ProtectProc = "invisible";
    PrivateUsers = true;
    ProtectHome = true;
    UMask = "0077";
    RuntimeDirectoryMode = "0750";
    StateDirectoryMode = "0750";
  };
  toml = {
    composition = settingsFormat.generate "composition.toml" store-config.composition;
    endpoints = settingsFormat.generate "endpoints.toml" store-config.endpoints;
  };
  package = pkgs.callPackage ./package { };
in
{

  age-secrets.autoMatch = [
    "tvix-store"
    "nginx"
  ];

  services.nginx.virtualHosts."tvix-store.dgnum.eu" = {
    enableACME = true;
    forceSSL = true;
    locations = {
      "/infra/" = {
        proxyPass = "http://127.0.0.1:8056/";
        extraConfig = ''
          client_max_body_size 50G;
          limit_except GET {
            auth_basic "Password required";
            auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password".path};
          }
        '';
      };
      "/infra-signing/" = {
        proxyPass = "http://127.0.0.1:8058/";
        extraConfig = ''
          client_max_body_size 50G;
          auth_basic "Password required";
          auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password-ci".path};
        '';
      };
      "/.well-known/nix-signing-keys/" = {
        alias = "${./pubkeys}/";
        extraConfig = "autoindex on;";
      };
    };
  };
  # TODO add tvix-store cli here
  # environment.systemPackages = [ ];
  users.users.tvix-store = {
    isSystemUser = true;
    group = "tvix-store";
  };
  users.groups.tvix-store = { };

  systemd.tmpfiles.rules = [ "d ${dataDir} 770 tvix-castore tvix-castore -" ];

  systemd.services."tvix-store" = {
    wantedBy = [ "multi-user.target" ];
    environment = {
      RUST_LOG = "debug";
    };
    serviceConfig = {
      UMask = "007";
      ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}";
      StateDirectory = "tvix-store";
      RuntimeDirectory = "tvix-store";
      User = "tvix-store";
      Group = "tvix-store";
      ReadWritePaths = [ dataDir ];
    } // systemdHardening;
  };
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
}