# A NixOS module which enables remotely-triggered deployment updates.
{ config, lib, ... }:
let
  # A handy alias for our part of the configuration.
  cfg = config.services.private-storage.deployment;

  # Compute an authorized_keys line that allows the holder of a certain key to
  # execute a certain command *only*.
  restrictedKey =
    { authorizedKey, command, gridName }:
    "restrict,command=\"${command} ${gridName}\" ${authorizedKey}";
in {
  options = {
    services.private-storage.deployment.authorizedKey = lib.mkOption {
      type = lib.types.str;
      example = lib.literalExample ''
        ssh-ed25519 AAAAC3N...
      '';
      description = ''
        The SSH public key to authorize to trigger a deployment update.
      '';
    };
    services.private-storage.deployment.gridName = lib.mkOption {
      type = lib.types.str;
      example = lib.literalExample "staging";
      description = ''
        The name of the grid configuration to use to update this deployment.
      '';
    };
  };

  config = {
    users.users.deployment = {
      # Without some shell no login is possible at all, even to execute our
      # restricted command.
      useDefaultShell = true;

      # Without a home directory, lots of tools break.
      createHome = true;
      home = "/home/deployment";

      openssh.authorizedKeys.keys = [
        (restrictedKey {
          inherit (cfg) authorizedKey gridName;
          command = ./update-deployment;
        })
      ];
    };
  };
}