{ nixpkgs, pkgs, config, lib, ... }:

let
  cfg = config.machine;
  emptyGlobalRegistry = pkgs.writeText "registry.json" ''{ "flakes": [], "version": 2 }'';
in {
  nix = {
    package = pkgs.nix;
    registry.nixpkgs.flake = nixpkgs;
    settings = {
      max-jobs = 4;
      cores = 1;
      sandbox = true;
      auto-optimise-store = true;
      trusted-substituters = [
        "https://cache.nixos.org"
      ] ++ cfg.binaryCaches;
      # TODO: integrate into sops
      # trusted-public-keys = [ (lib.fileContents "${cfg.secretPath}/hydra_cache.pub") ];
      substituters = [
        "https://cache.nixos.org"
      ] ++ cfg.binaryCaches;
      allowed-users = [ "root" ] ++ (map (n: n.name) cfg.administrators);
    };
    extraOptions = ''
      build-timeout = 86400  # 24 hours
      experimental-features = nix-command flakes
      flake-registry = ${emptyGlobalRegistry}
    '';
  };
}