#!/usr/bin/env bash
# Phase 5.5 + 6.2 + 6.3 helper: deploy the unified nixos flake to muffin,
# pre-seeding /var/lib/nix-deploy/ so yarn's pull-update keeps working across
# the harmonia path rename.
#
# Run from the repo root on a machine that can SSH to root@server-public.
# Assumes the caller has the new git-crypt key (or a GPG user added to the repo)
# so that secrets/ is in plaintext on this machine.
#
# Sequence:
#   1. Pre-seed /var/lib/nix-deploy/ on muffin from /var/lib/dotfiles-deploy/
#   2. deploy-rs the new flake to muffin
#   3. Verify /run/agenix/git-crypt-key-nixos exists + readable
#   4. Verify /var/lib/nix-deploy/{mreow,yarn} still resolves via
#      https://nix-cache.sigkill.computer/deploy/<host>
#
# If any step fails, the old paths are untouched — you can roll back by
# deploying server-config.

set -euo pipefail

SSH_HOST="${SSH_HOST:-root@server-public}"

echo "[1/4] Pre-seeding /var/lib/nix-deploy from /var/lib/dotfiles-deploy..."
ssh "$SSH_HOST" '
  set -euo pipefail
  if [ -d /var/lib/dotfiles-deploy ] && [ ! -d /var/lib/nix-deploy ]; then
    cp -a /var/lib/dotfiles-deploy /var/lib/nix-deploy
    echo "  seeded $(ls /var/lib/nix-deploy | wc -l) entries"
  elif [ -d /var/lib/nix-deploy ]; then
    echo "  /var/lib/nix-deploy already present; leaving untouched"
  else
    echo "  WARN: /var/lib/dotfiles-deploy missing on server (ok if fresh install)"
  fi
'

echo "[2/4] Deploying via deploy-rs..."
nix run .#deploy -- .#muffin

echo "[3/4] Verifying new agenix key is present..."
ssh "$SSH_HOST" '
  if [ -r /run/agenix/git-crypt-key-nixos ]; then
    echo "  OK: /run/agenix/git-crypt-key-nixos ($(stat -c%s /run/agenix/git-crypt-key-nixos) bytes)"
  else
    echo "  FAIL: /run/agenix/git-crypt-key-nixos missing or unreadable" >&2
    exit 1
  fi
  # Confirm it belongs to gitea-runner
  owner=$(stat -c%U /run/agenix/git-crypt-key-nixos)
  if [ "$owner" = "gitea-runner" ]; then
    echo "  OK: owned by gitea-runner"
  else
    echo "  WARN: owner is $owner (expected gitea-runner)"
  fi
'

echo "[4/4] Verifying yarn pull-update path still resolves..."
ssh "$SSH_HOST" '
  if [ -f /var/lib/nix-deploy/yarn ]; then
    echo "  OK: /var/lib/nix-deploy/yarn points at $(cat /var/lib/nix-deploy/yarn)"
  else
    echo "  WARN: /var/lib/nix-deploy/yarn missing (harmless on first CI run from new repo)"
  fi
'

echo ""
echo "Done. muffin is running the unified flake. The old server-config Gitea"
echo "Actions pipeline should be disabled next (Phase 6.1) before the first"
echo "push to the new nixos Gitea repo — otherwise both will race for the"
echo "binary cache write paths."