{
  config,
  lib,
  service_configs,
  ...
}:
{
  imports = [
    (lib.serviceFilePerms "harmonia" [
      "Z /run/agenix/harmonia-sign-key 0400 harmonia harmonia"
    ])
  ];

  services.harmonia = {
    enable = true;
    signKeyPaths = [ config.age.secrets.harmonia-sign-key.path ];
    settings.bind = "127.0.0.1:${toString service_configs.ports.private.harmonia.port}";
  };

  services.caddy.virtualHosts."nix-cache.${service_configs.https.domain}".extraConfig = ''
    import ${config.age.secrets.nix-cache-auth.path}
    reverse_proxy :${toString service_configs.ports.private.harmonia.port}
  '';
}