{ config, pkgs, ... }:
let
  gitKnownHosts = pkgs.writeText "known_hosts" ''
    [git.blazestar.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDSikNAZDAbdQ5TA6Eg95FBM3sdPfAfghG+n56akCal8XXV/vOnXgqfeDASfXVOu+PZqCHnpGTxsym7hf2naFC0enznhS2sqahdQKKcsHvSfyQxpYFYyB2Zp8YDbnbRNGl2SbnqOajzk1SxJrJ0fFXmfrRIMnGNz+uFtIqc+T52CM051nd5Gj3f9a8xCwg7hedvSCynobsW9IOCmCc9rZ99TRd+m0kO74pUbgVqLv/+aSuW40K1uCkKgyh6PQsmkZd5GY0URwoJvLZauZLSPxl6DEU6lYz8S/hPrTP/e6fOPZsavQBYC+3Q/akoFnY+qlKgWLQy/Om6hz0EfYuuzNPRhf1jaGKjHgEri1f3OMgXcRMvjovRgbbu0JRGANmN8FMe20S4AAvbxmsQdQci+QcXZPDPbcmT3XJv8e8p4HNQyLxHyh0u9dLBE2ccTv5gdf/6iZy6WXlYEf1UAKC2lExRuKBV3lrnuyHhOj+iL09gUMYFuIyHuX2Hsw9yKZbO8J2+STNIVQfAJ0Upa2cJ33a6RlOxGiHXi4UbZTPguNgQaQdM0CuklVTynBfWr1Hfd8c8hVtT+HLz+XOU2Nrmgq90/w7g7mo5JxXHkcfBlqlXKONTkDUG3KHbwKtQNVC6l3bhpvPc32Mys6e7JeWnrb1zXojopnPvoct54qDVlwc5xQ==
  '';
  testHook =
    with pkgs;
    writeShellApplication {
      name = "deploy-astro-app";
      runtimeInputs = [
        openssh
        gitFull
        nodejs_22
        bashNonInteractive
      ];
      text = ''
        set -e
        id
        pwd

        export GIT_SSH_COMMAND='ssh -v -o "UserKnownHostsFile ${gitKnownHosts}" -i "${
          config.sops.secrets."deploy-key/terakoda.com".path
        }"'

        # Disable astro telemetry otherwise it will try to write to `~/.config/astro/config.json`
        export ASTRO_TELEMETRY_DISABLED=1

        # Fetch the repository and make sure we are reset to HEAD
        git fetch origin main
        git reset --hard
        git checkout main
        git reset --hard origin/main

        # Use a local cache with --cache .npm
        npm ci --cache .npm
        npm run build
      '';
    };
in
{
  # [ ] Make sure the hook can operate on that directory
  # [ ] Run the build command

  sops.secrets = {
    "deploy-key/terakoda.com" = {
      restartUnits = [ "webhook.service" ];
      owner = config.users.users.webhook.name;
    };
  };

  services.webhook = {
    enable = true;
    verbose = true;
    port = 9000;
    openFirewall = true;
    hooks = {
      "deploy-www2-terakoda-com" = {
        id = "deploy-www2-terakoda-com";
        http-methods = [ "POST" ];
        command-working-directory = "/tank/web/www2.terakoda.com";
        include-command-output-in-response = true;
        include-command-output-in-response-on-error = true;
        execute-command = "${testHook}/bin/deploy-astro-app";
        trigger-rule = {
          match = {
            type = "payload-mac-sha256";
            secret = "test123";
            parameter = {
              source = "header";
              name = "X-Hub-Signature-256";
            };
          };
        };
      };
    };
  };
}