{ lib, inputs, ... }:

## NOTE: Hackish solution mostly taken from `../common/resource.nix`.
## Eventually, `forgejo-ci` should move to a datacentre somewhere and this code
## should be integrated with the code for other machines (in particular VMs).

let
  inherit (lib) attrValues elem;
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;

  secretsPrefix = ../../secrets;
  secrets = import (secretsPrefix + "/secrets.nix");
  keys = import ../../keys;
  hostPublicKey = keys.systems.forgejo-ci;

in
{
  nixops4Deployments.forgejo-ci =
    { providers, ... }:
    {
      providers.local = inputs.nixops4.modules.nixops4Provider.local;

      resources.forgejo-ci = {
        type = providers.local.exec;
        imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];

        ssh = {
          host = "45.142.234.216";
          opts = "-J orianne"; # FIXME
          hostPublicKey = hostPublicKey;
        };

        nixpkgs = inputs.nixpkgs;

        nixos.module = {
          imports = [
            inputs.agenix.nixosModules.default
            ./configuration.nix
          ];

          age.secrets = concatMapAttrs (
            name: secret:
            optionalAttrs (elem hostPublicKey secret.publicKeys) ({
              ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
            })
          ) secrets;

          users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
        };
      };
    };
}