{ config, lib, pkgs, ... }:
let
  nixKey = "/var/lib/nix/binary-cache-key" ;
in {
  init.services.nix-key-setup = {
    description = "Generate a nix build signing key";
    startType = "oneshot";
    startCommand = pkgs.writeScript "nix-key-setup" ''
      test -f ${nixKey} && test -f ${nixKey}.pub && exit 0 || true
      mkdir -p "$(dirname "${nixKey}")"
      ${config.nix.package}/bin/nix-store --generate-binary-cache-key ${config.networking.hostName} ${nixKey} ${nixKey}.pub
    '';
    after = [ "FILESYSTEMS" ];
  };
}