{
  config,
  lib,
  site_config,
  service_configs,
  ...
}:
{
  imports = [
    (lib.serviceFilePerms "harmonia" [
      "Z /run/agenix/harmonia-sign-key 0400 harmonia harmonia"
    ])
  ];

  services.harmonia = {
    enable = true;
    signKeyPaths = [ config.age.secrets.harmonia-sign-key.path ];
    settings.bind = "127.0.0.1:${toString service_configs.ports.private.harmonia.port}";
  };

  # serve latest deploy store paths (unauthenticated — just a path string)
  # CI writes to /var/lib/nix-deploy/<hostname> after building
  services.caddy.virtualHosts."nix-cache.${site_config.domain}".extraConfig = ''
    handle_path /deploy/* {
        root * /var/lib/nix-deploy
        file_server
    }

    handle {
        import ${config.age.secrets.nix-cache-auth.path}
        reverse_proxy :${toString service_configs.ports.private.harmonia.port}
    }
  '';

  # directory for CI to record latest deploy store paths
  systemd.tmpfiles.rules = [
    "d /var/lib/nix-deploy 0755 gitea-runner gitea-runner"
  ];
}