{ config, pkgs, ... }:
let
  gitKnownHosts = pkgs.writeText "known_hosts" ''
    [git.blazestar.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDSikNAZDAbdQ5TA6Eg95FBM3sdPfAfghG+n56akCal8XXV/vOnXgqfeDASfXVOu+PZqCHnpGTxsym7hf2naFC0enznhS2sqahdQKKcsHvSfyQxpYFYyB2Zp8YDbnbRNGl2SbnqOajzk1SxJrJ0fFXmfrRIMnGNz+uFtIqc+T52CM051nd5Gj3f9a8xCwg7hedvSCynobsW9IOCmCc9rZ99TRd+m0kO74pUbgVqLv/+aSuW40K1uCkKgyh6PQsmkZd5GY0URwoJvLZauZLSPxl6DEU6lYz8S/hPrTP/e6fOPZsavQBYC+3Q/akoFnY+qlKgWLQy/Om6hz0EfYuuzNPRhf1jaGKjHgEri1f3OMgXcRMvjovRgbbu0JRGANmN8FMe20S4AAvbxmsQdQci+QcXZPDPbcmT3XJv8e8p4HNQyLxHyh0u9dLBE2ccTv5gdf/6iZy6WXlYEf1UAKC2lExRuKBV3lrnuyHhOj+iL09gUMYFuIyHuX2Hsw9yKZbO8J2+STNIVQfAJ0Upa2cJ33a6RlOxGiHXi4UbZTPguNgQaQdM0CuklVTynBfWr1Hfd8c8hVtT+HLz+XOU2Nrmgq90/w7g7mo5JxXHkcfBlqlXKONTkDUG3KHbwKtQNVC6l3bhpvPc32Mys6e7JeWnrb1zXojopnPvoct54qDVlwc5xQ==
  '';
  deployNpmApp =
    with pkgs;
    writeShellApplication {
      name = "build-npm-app";
      runtimeInputs = [
        openssh
        gitFull
        nodejs_22
        bashNonInteractive
        rsync
      ];
      text = ''
        set -e

        echo "Deploying in $(pwd) as $(id)"

        OUTPUT_DIR="./$(date --utc --iso-8601=seconds)"

        echo "Deploying into $OUTPUT_DIR"

        export GIT_SSH_COMMAND='ssh -v -o "UserKnownHostsFile ${gitKnownHosts}" -i "${
          config.sops.secrets."webhook/deploy-key".path
        }"'

        # Disable astro telemetry otherwise it will try to write to `~/.config/astro/config.json`
        export ASTRO_TELEMETRY_DISABLED=1

        # Fetch the repository and make sure we are reset to HEAD
        git fetch origin main
        git reset --hard
        git checkout main
        git reset --hard origin/main

        # Use a local cache with --cache .npm
        npm ci --cache .npm
        npm run build -- --outDir "$OUTPUT_DIR"

        echo "Activating $OUTPUT_DIR"
        # Trailing slash on source to only copy contents, not the directory itself
        rsync --archive --delete "$OUTPUT_DIR"/ deployed
        echo "Deployment complete"
      '';
    };
in
{
  sops.secrets = {
    "webhook/deploy-key" = {
      restartUnits = [ "webhook.service" ];
      owner = config.users.users.webhook.name;
    };
  };

  services.webhook =
    let
      trigger-rule = {
        or = [
          {
            match = {
              type = "payload-hmac-sha1";
              secret = "mysecret";
              parameter = {
                source = "header";
                name = "X-Hub-Signature";
              };
            };
          }
        ];
      };
    in
    {
      enable = true;
      verbose = true;
      port = 9000;
      openFirewall = true;
      hooks = {
        "deploy-blazestar-net" = {
          id = "deploy-blazestar-net";
          http-methods = [ "POST" ];
          command-working-directory = "/web/blazestar.net";
          include-command-output-in-response-on-error = true;
          execute-command = "${deployNpmApp}/bin/build-npm-app";
          trigger-rule-mismatch-http-response-code = 400;
          inherit trigger-rule;
        };
      };
    };
}