{ config, pkgs, ... }:
let
  update-cert = pkgs.writeScriptBin "update-cert" ''
    cd ${config.users.users."cert-store".home}
    git clone ssh://forgejo@forgejo.sinerva.eu/VSinerva/nixos-conf.git
    cd nixos-conf

    ${pkgs.sops}/bin/sops -d --extract '["cert-fullchain"]' --output old-fullchain secrets/cert.yaml
    ${pkgs.sops}/bin/sops -d --extract '["cert-key"]' --output old-key secrets/cert.yaml

    cp ${config.users.users."cert-store".home}/-.vsinerva.fi/fullchain.pem ./new-fullchain
    cp ${config.users.users."cert-store".home}/-.vsinerva.fi/key.pem ./new-key

    if ${pkgs.diffutils}/bin/cmp new-fullchain old-fullchain; then
      echo "Old and new fullchain are the same, skipping!"
    else
      ${pkgs.sops}/bin/sops --set "[\"cert-fullchain\"] $(${pkgs.jq}/bin/jq -sR < new-fullchain)" secrets/cert.yaml
    fi

    if ${pkgs.diffutils}/bin/cmp new-key old-key; then
      echo "Old and new key are the same, skipping!"
    else
      ${pkgs.sops}/bin/sops --set "[\"cert-key\"] $(${pkgs.jq}/bin/jq -sR < new-key)" secrets/cert.yaml
    fi

    git commit -am "Automatically updated wildcard cert"
    git push
    cd ${config.users.users."cert-store".home}
    rm -rf nixos-conf
  '';
in
{
  sops = {
    secrets = {
      forgejo-deploy-key = {
        sopsFile = ../secrets/cert-store.yaml;
        path = "${config.users.users."cert-store".home}/.ssh/id_ed25519";
        owner = config.users.users."cert-store".name;
      };
      cert-age-key = {
        sopsFile = ../secrets/cert-store.yaml;
        path = "${config.users.users."cert-store".home}/.config/sops/age/keys.txt";
        owner = config.users.users."cert-store".name;
      };
    };
  };

  environment.persistence."/persist".directories = [
    {
      directory = "/home/cert-store";
      user = "cert-store";
      group = "users";
      mode = "u=rwx,g=,o=";
    }
  ];
  users.users."cert-store" = {
    isNormalUser = true;
    openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1 opnsense"
    ];
  };

  services.openssh.knownHosts."forgejo.sinerva.eu".publicKey =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiJZWlmiEkVzlf5/KV/jKkCGlgp8mnEeCnwk/dhdctJ";

  environment.systemPackages = [ update-cert ];

  programs.git = {
    enable = true;
    config = {
      user = {
        email = "vili.m.sinerva@gmail.com";
        name = "Vili Sinervä";
      };
    };
  };
}