#!/bin/sh
# Wrapper around nixos-rebuild and deploy-rs for the three hosts.
#
# Usage:
#   ./deploy.sh                   # nixos-rebuild boot on current host (mreow/yarn)
#   ./deploy.sh switch            # apply immediately on current host
#   ./deploy.sh test              # apply without adding boot entry
#   ./deploy.sh build             # build only, no activation
#   ./deploy.sh muffin            # preflight deploy guard + deploy-rs to muffin
#   ./deploy.sh muffin --force    # skip the preflight deploy guard
#
# muffin cannot be rebuilt locally from another host — this script only issues
# the remote deploy via deploy-rs when explicitly named.
#
# DEPLOY_GUARD_FORCE=1 is equivalent to passing --force.
#
# The preflight builds the guard derivation locally, copies it to muffin's
# nix store, then invokes it by /nix/store path over SSH as root (so the
# jellyfin check can read /run/agenix/jellyfin-api-key). Building the exact
# binary we're about to deploy avoids the bootstrap gap where
# /run/current-system/sw/bin/deploy-guard-check may not yet exist on the target
# (first deploy of the feature, post-rollback wiping it, etc).

set -eu

host="$(hostname -s)"
arg="${1:-boot}"

case "$arg" in
  muffin)
    shift  # consume "muffin"

    force=0
    if [ "${DEPLOY_GUARD_FORCE:-0}" = "1" ]; then force=1; fi
    if [ "${1:-}" = "--force" ]; then force=1; shift; fi

    if [ "$force" = "1" ]; then
      echo "deploy-guard: preflight skipped (--force)"
    else
      echo "deploy-guard: building preflight binary..."
      guard=$(nix build --no-link --print-out-paths \
        '.#nixosConfigurations.muffin.config.system.build.deployGuardCheck')

      echo "deploy-guard: copying to muffin..."
      nix copy --to ssh-ng://root@server-public "$guard"

      output=$(ssh -o BatchMode=yes -o ConnectTimeout=5 \
        root@server-public "$guard/bin/deploy-guard-check" 2>&1) && rc=0 || rc=$?

      if [ "$rc" -eq 0 ]; then
        [ -n "$output" ] && printf '%s\n' "$output"
      elif [ "$rc" -eq 255 ]; then
        echo "deploy-guard: preflight SSH failed (rc=255)." >&2
        printf '%s\n' "$output" >&2
        echo "Re-run with --force once you've confirmed the host is idle." >&2
        exit 1
      else
        printf '%s\n' "$output"
        echo >&2
        echo "Blocked by deploy guard. Bypass: ./deploy.sh muffin --force" >&2
        exit 1
      fi
    fi

    exec nix run .#deploy -- .#muffin "$@"
    ;;
  boot | switch | test | build)
    exec nixos-rebuild "$arg" --flake ".#$host" --use-remote-sudo
    ;;
  *)
    echo "usage: $0 [muffin [--force] | boot | switch | test | build]" >&2
    exit 2
    ;;
esac