{
  nodes,
  config,
  lib,
  pkgs,
  ...
}:
let
  cfg = config.bagel.services.buildbot;
  cfgGerrit = nodes.gerrit01.config.bagel.services.gerrit;
  inherit (lib) mkEnableOption mkOption mkIf types;
in
{
  options.bagel.services.buildbot = {
    enable = mkEnableOption "Buildbot";
    domain = mkOption {
      type = types.str;
    };
  };

  config = mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [ 80 443 ];
    age.secrets.buildbot-worker-password.file = ../../secrets/buildbot-worker-password.age;
    age.secrets.buildbot-oauth-secret.file = ../../secrets/buildbot-oauth-secret.age;
    age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age;
    age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age;
    age.secrets.buildbot-signing-key.file = ../../secrets/buildbot-signing-key.age;

    services.nginx.virtualHosts.${cfg.domain} = {
      forceSSL = true;
      enableACME = true;
    };

    services.buildbot-nix.worker = {
      enable = true;
      workerPasswordFile = config.age.secrets.buildbot-worker-password.path;
      # All credits to eldritch horrors for this beauty.
      workerArchitectures =
      {
        # nix-eval-jobs runs under a lock, error reports do not (but are cheap)
        other = 8;
      } // (
        lib.filterAttrs
          (n: v: lib.elem n config.services.buildbot-nix.coordinator.buildSystems)
          (lib.zipAttrsWith
            (_: lib.foldl' lib.add 0)
            (lib.concatMap
              (m: map (s: { ${s} = m.maxJobs; }) m.systems)
              config.nix.buildMachines))
        );
    };

    services.buildbot-nix.coordinator = {
      enable = true;

      inherit (cfg) domain;

      oauth2 = {
        name = "Lix";
        clientId = "forkos-buildbot";
        clientSecretFile = config.age.secrets.buildbot-oauth-secret.path;
        resourceEndpoint = "https://identity.lix.systems";
        authUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth";
        tokenUri = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
      };

      workersFile = config.age.secrets.buildbot-workers.path;

      allowedOrigins = [
        "*.forkos.org"
      ];

      buildSystems = [
        "x86_64-linux"
      ];

      gerrit = {
        domain = cfgGerrit.canonicalDomain;
        # Manually managed account…
        # TODO: https://git.lix.systems/the-distro/infra/issues/69
        username = "buildbot";
        port = cfgGerrit.port;
        privateKeyFile = config.age.secrets.buildbot-service-key.path;
        projects = [
          "buildbot-test"
          "nixpkgs"
          "infra"
        ];
      };

      evalWorkerCount = 6;
      evalMaxMemorySize = "4096";

      signingKeyFile = config.age.secrets.buildbot-signing-key.path;
    };

    nix.settings.keep-derivations = true;
    nix.gc = {
      automatic = true;
      dates = "hourly";
    };
  };
}