{
  config,
  lib,
  pkgs,
  ...
}:

{
  options = {
    services.nix-serve = {
      keyName = lib.mkOption {
        type = lib.types.str;
        default = config.networking.fqdnOrHostName;
        defaultText = "config.networking.fqdnOrHostName";
        description = "Name of the key when generating (usually domain name)";
      };
      publicKeyFile = lib.mkOption {
        type = lib.types.path;
        default = "/var/cache-pub-key.pem";
        description = "Path to the public key file";
      };
    };
  };
  config = {
    services.nix-serve = {
      enable = true;
      package = pkgs.nix-serve-ng;
      secretKeyFile = "/var/cache-priv-key.pem";
    };
    systemd.services.nix-serve-generate-key = let
      inherit (config.services.nix-serve) keyName secretKeyFile publicKeyFile;
    in {
      description = "Ensure existence of nix binary cache signing key";
      wantedBy = [ config.systemd.services.nix-serve.name ];
      script = ''
        if [ -f ${secretKeyFile} ]; then
          echo "File ${secretKeyFile} already exists, nothing to do" >&2
          exit 0
        fi
        if [ -a ${secretKeyFile} ]; then
          echo "File ${secretKeyFile} is not a regular file" >&2
          exit 1
        fi
        echo "Generating nix binary cache signing key" >&2
        touch ${secretKeyFile}
        chmod 600 ${secretKeyFile}
        mkdir -p $(dirname ${secretKeyFile})
        ${lib.getExe' pkgs.nix "nix-store"} --generate-binary-cache-key \
          ${keyName} ${secretKeyFile} ${publicKeyFile}
      '';
      restartIfChanged = true;
    };
  };
}