{ config, pkgs, ... }:
let
  gitKnownHosts = pkgs.writeText "known_hosts" ''
    [git.blazestar.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDSikNAZDAbdQ5TA6Eg95FBM3sdPfAfghG+n56akCal8XXV/vOnXgqfeDASfXVOu+PZqCHnpGTxsym7hf2naFC0enznhS2sqahdQKKcsHvSfyQxpYFYyB2Zp8YDbnbRNGl2SbnqOajzk1SxJrJ0fFXmfrRIMnGNz+uFtIqc+T52CM051nd5Gj3f9a8xCwg7hedvSCynobsW9IOCmCc9rZ99TRd+m0kO74pUbgVqLv/+aSuW40K1uCkKgyh6PQsmkZd5GY0URwoJvLZauZLSPxl6DEU6lYz8S/hPrTP/e6fOPZsavQBYC+3Q/akoFnY+qlKgWLQy/Om6hz0EfYuuzNPRhf1jaGKjHgEri1f3OMgXcRMvjovRgbbu0JRGANmN8FMe20S4AAvbxmsQdQci+QcXZPDPbcmT3XJv8e8p4HNQyLxHyh0u9dLBE2ccTv5gdf/6iZy6WXlYEf1UAKC2lExRuKBV3lrnuyHhOj+iL09gUMYFuIyHuX2Hsw9yKZbO8J2+STNIVQfAJ0Upa2cJ33a6RlOxGiHXi4UbZTPguNgQaQdM0CuklVTynBfWr1Hfd8c8hVtT+HLz+XOU2Nrmgq90/w7g7mo5JxXHkcfBlqlXKONTkDUG3KHbwKtQNVC6l3bhpvPc32Mys6e7JeWnrb1zXojopnPvoct54qDVlwc5xQ==
  '';
  testHook =
    with pkgs;
    writeShellApplication {
      name = "deploy-astro-app";
      runtimeInputs = [
        openssh
        gitFull
        nodejs_22
        bashNonInteractive
      ];
      text = ''
        set -e
        id
        pwd

        export GIT_SSH_COMMAND='ssh -v -o "UserKnownHostsFile ${gitKnownHosts}" -i "${
          config.sops.secrets."deploy-key/terakoda.com".path
        }"'

        # Disable astro telemetry otherwise it will try to write to `~/.config/astro/config.json`
        export ASTRO_TELEMETRY_DISABLED=1

        # Fetch the repository and make sure we are reset to HEAD
        git fetch origin main
        git reset --hard
        git checkout main
        git reset --hard origin/main

        # Use a local cache with --cache .npm
        npm ci --cache .npm
        npm run build
      '';
    };
in
{
  sops.secrets = {
    "deploy-key/terakoda.com" = {
      restartUnits = [ "webhook.service" ];
      owner = config.users.users.webhook.name;
    };
  };

  services.webhook = {
    enable = true;
    verbose = true;
    port = 9000;
    openFirewall = true;
    hooks = {
      "deploy-terakoda-com" = {
        id = "deploy-terakoda-com";
        http-methods = [ "POST" ];
        command-working-directory = "/tank/web/terakoda.com";
        include-command-output-in-response-on-error = true;
        execute-command = "${testHook}/bin/deploy-astro-app";
        trigger-rule-mismatch-http-response-code = 400;
        trigger-rule = {
          or = [
            # There were some issues getting the payload signature validation to work.
            # Switching to only accepting requests from internal IPs.
            # {
            #   match = {
            #     type = "payload-hmac-sha1";
            #     secret = "mysecret";
            #     parameter = {
            #       source = "header";
            #       name = "X-Hub-Signature";
            #     };
            #   };
            # }
            {
              match = {
                type = "ip-whitelist";
                ip-range = "192.168.0.0/16";
              };
            }
            {
              match = {
                type = "ip-whitelist";
                ip-range = "10.88.0.0/16";
              };
            }
          ];
        };
      };
    };
  };
}