{config, ...}: let
  buildDomain = "build.${config.customOps.domain.fqdn}";
in {
  sops.secrets = {
    "msci/taur/sshkey" = {};
    "msci/taur/gpgkey" = {};
    "msci/taur/gpgpwd" = {};
  };
  makeshiftci = {
    enable = true;
    webUI.enable = true;
  };
  services.nginx.virtualHosts.${buildDomain} = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://localhost:${builtins.toString config.makeshiftci.webUI.port}";
      extraConfig = ''
        proxy_buffering off;
      '';
    };
  };
}