config/modules/services/updaterbot/default.nix

{
  config,
  lib,
  pkgs,
  ...
}: {
  options.mj.services.updaterbot = with lib.types; {
    enableMaster = lib.mkEnableOption "Enable system updater orchestrator";
    enableDeployer = lib.mkEnableOption "Enable system updater deployer";
    deployDerivations = lib.mkOption {type = listOf str;};
    uidgid = lib.mkOption {type = int;};
    repo = lib.mkOption {type = str;};
  };

  config = lib.mkIf config.mj.services.updaterbot.enableMaster {
    users = {
      users = {
        # TODO: git config --global user.email updaterbot@jakstys.lt
        # TODO: ssh-keygen -t ed25519
        updaterbot = {
          description = "Dear Updaterbot";
          home = "/var/lib/updaterbot";
          useDefaultShell = true;
          group = "updaterbot";
          isSystemUser = true;
          createHome = true;
          uid = config.mj.services.updaterbot.uidgid;
        };
      };

      groups = {
        updaterbot.gid = config.mj.services.updaterbot.uidgid;
      };
    };

    systemd.services.updaterbot = {
      description = "Update all known systems";
      preStart = ''
        if [[ -f .ssh/id_ed25519 ]]; then exit; fi

        ${pkgs.openssh}/bin/ssh-keygen -N "" -t ed25519 -f .ssh/id_ed25519
      '';
      serviceConfig = {
        Type = "oneshot";
        User = "updaterbot";
        WorkingDirectory = config.users.users.updaterbot.home;
      };
      script = let
        deployDerivations = builtins.concatStringsSep " " config.mj.services.updaterbot.deployDerivations;
      in ''
        set -x
        export GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i $HOME/.ssh/id_ed25519"
        if [[ ! -d config ]]; then
          ${pkgs.git}/bin/git clone ${config.mj.services.updaterbot.repo} config
          cd config
        else
          cd config
          ${pkgs.git}/bin/git fetch origin
          ${pkgs.git}/bin/git reset --hard origin/main
        fi

        export PATH=$PATH:${pkgs.git}/bin:${pkgs.nix}/bin
        ${pkgs.nix}/bin/nix flake update --accept-flake-config --commit-lock-file
        ${pkgs.git}/bin/git push origin main

        export PATH=$PATH:${pkgs.openssh}/bin
        exec ${pkgs.nix}/bin/nix run .#deploy-rs -- ${deployDerivations}
      '';
    };

    #systemd.timers.updaterbot = {
    #  description = "updaterbot timer";
    #  wantedBy = ["timers.target"];
    #  timerConfig.OnCalendar = "";
    #};

    mj.base.unitstatus.units = ["updaterbot"];

    nix.settings.trusted-users = ["updaterbot"];
  };
}