{ config, pkgs, lib, ... }:

let
  autodeploy = pkgs.buildGoModule {
    name = "autodeploy";
    src = ./autodeploy;
    vendorHash = "sha256-H8Wa1GoXjU8mkaE0ofdA1mO+rNo3l4s0nxTVih9LuWs=";
  };

in {
  virtualisation.podman.enable = true;
  virtualisation.oci-containers.backend = "podman";
  virtualisation.oci-containers.containers = {
    site = {
      image = "git.orga.cebula.camp/infra/site:golden";
      ports = [ "10.88.0.1:9001:3000" ];
    };
  };
  services.nginx.virtualHosts."cebula.camp" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://10.88.0.1:9001/";
      proxyWebsockets = true;
    };
  };
  systemd.timers.site-autodeploy = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnBootSec = "5m";
      OnUnitActiveSec = "5m";
      Unit = "site-autodeploy.service";
    };
  };
  systemd.services.site-autodeploy = {
    path = [ pkgs.podman pkgs.bash ];
    script = ''
      set -eu
      ${autodeploy}/bin/autodeploy \
        -local_checkout /root/site-ci \
        -trigger "systemctl restart podman-site"
    '';
    serviceConfig = {
      Type = "oneshot";
      # TODO: run as an unprivileged user:
      # 1. figure out why rootless podman is broken, probaby something with
      #    subuid/subgid maps with LDAP.
      # 2. let the unprivileged user sudo into a systemctl unit restart
      User = "root";
    };
  };
}