# System automatic updates.
# This is a systemd service that pulls updates every hour.
# Unlike system.autoUpgrade, this script also verifies my git signature
# to prevent unathorized changes to hosts.
{
  config,
  lib,
  pkgs,
  secret,
  util,
  ...
}:
let
  cfg = config.module.autoupdate;
in
{
  config = lib.mkIf cfg.enable {
    programs.git = {
      enable = true;
      config = {
        gpg.ssh.allowedSignersFile = toString secret.crypto.sign.git.allowed;
      };
    };

    systemd.services.autoupdate = util.mkStaticSystemdService {
      enable = true;
      after = [ "network-online.target" ];
      description = "Signed system auto-update.";
      serviceConfig.Type = "oneshot";
      wants = [ "network-online.target" ];
      path = with pkgs; [
        bash
        coreutils
        git
        gnumake
        nixos-rebuild
        openssh
      ];
      script = ''
        pushd /tmp
        rm -rf ./nixos
        git clone --depth=1 --single-branch --branch=main ${config.const.url} ./nixos
        pushd ./nixos
        git verify-commit HEAD && git fsck || {
          echo "Verification failed."
          exit 1
        };
        timeout 55m make switch
      '';
    };

    systemd.timers.autoupdate = {
      enable = true;
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "hourly";
        Persistent = true;
        RandomizedDelaySec = 60;
        Unit = "autoupdate.service";
      };
    };
  };
}