# SPDX-FileCopyrightText: V <v@unfathomable.blue>
# SPDX-FileCopyrightText: edef <edef@unfathomable.blue>
# SPDX-License-Identifier: OSL-3.0

{ lib, pkgs, ... }:

with lib;

{
  # TODO(edef): could we somehow make this use DynamicUser?
  users.users.git = {
    isSystemUser = true;

    group = "git";

    home = "/var/lib/git";
    createHome = true;

    useDefaultShell = true;

    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFovWcdS0vQAJiEvwjEIUOv7eip52oX7rVOEMQDJkSL6 v@january"
      "cert-authority ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbIBz0zkMCAggWcj1q/MX2j6gq+QGj3F3YXhokOf+6m openpgp:0xAADA9805"
      "cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvb/7ojfcbKvHIyjnrNUOOgzy44tCkgXY9HLuyFta1jQOE9pFIK19B4dR9bOglPKf145CCL0mSFJNNqmNwwavU2uRn+TQrW+U1dQAk8Gt+gh3O49YE854hwwyMU+xD6bIuUdfxPr+r5al/Ov5Km28ZMlHOs3FoAP0hInK+eAibioxL5rVJOtgicrOVCkGoXEgnuG+LRbOYTwzdClhRUxiPjK8alCbcJQ53AeZHO4G6w9wTr+W5ILCfvW4OmUXCX01sKzaBiQuuFCF6M/H4LlnsPWLMra2twXxkOIhZblwC+lncps9lQaUgiD4koZeOCORvHW00G0L39ilFbbnVcL6Itp/m8RRWm/xRxS4RMnsdV/AhvpRLrhL3lfQ7E2oCeSM36v1S9rdg6a47zcnpL+ahG76Gz39Y7KmVRQciNx7ezbwxj3Q5lZtFykgdfGIAN+bT8ijXMO6m68g60i9Bz4IoMZGkiJGqMYLTxMQ+oRgR3Ro5lbj7E11YBHyeimoBYXYGHMkiuxopQZ7lIj3plxIzhmUlXJBA4jMw9KGHdYaLhaicIYhvQmCTAjrkt2HvxEe6lU8iws2Qv+pB6tAGundN36RVVWAckeQPZ4ZsgDP8V2FfibZ1nsrQ+zBKqaslYMAHs01Cf0Hm0PnCqagf230xaobu0iooNuXx44QKoDnB+w== openpgp:0x803010E7"
    ];

    packages = with pkgs; [
      git
    ];
  };

  users.groups.git = {};

  # TODO(V): Enable the reflog?
  declarative.git.repositories.basin = {
    hooks.post-receive = [
      # FIXME(V): There are more than a number of issues with this!
      # - requires an explicit remote (we could add this to the config)
      # - only updates trunk (even if other branches were pushed)
      # - has no way to filter specific branches from being published
      # - does not synchronize tags
      (pkgs.writeShellScript "sync-repository" ''
        git push trieste:basin trunk
      '')
    ];
  };

  # TODO(V): Linting hooks (honestly, these should just go in CI)
  # - reuse lint
  # - check there's a (owner) for every TODO, FIXME, XXX, etc
  # - make sure everything has been run through rustfmt

  # TODO(V): An equivalent of Bors ("Tolby"?) for our workflow
  # (or, at least, a queue of commits that must individually pass CI to get merged)

  # TODO(V): Set up CI
}