{ config, pkgs, ... }:

{
  environment.etc."nix-git-auto-update.sh" = {
    mode = "0700";
    text = ''
      #!/run/current-system/sw/bin/bash
      set -euo pipefail

      export PATH="/run/current-system/sw/bin:/nix/var/nix/profiles/default/bin"
      export NIX_PATH="nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"

      LOCAL_PATH="/var/lib/nixos-config"
      REPO_URL="https://git.skarockoi.de/ska/nixos-production.git"

      if [ ! -d "$LOCAL_PATH/.git" ]; then
        mkdir -p "$LOCAL_PATH"
        chmod 700 "$LOCAL_PATH"
        git clone "$REPO_URL" "$LOCAL_PATH"
      else
        cd "$LOCAL_PATH"
        git fetch origin
        git reset --hard origin/main
      fi

      # Always rebuild — nixos-rebuild will do nothing if system is already up-to-date
      nixos-rebuild boot -I nixos-config="$LOCAL_PATH/configuration.nix"
    '';
  };

  systemd.services.nix-git-auto-update = {
    description = "Automatically update NixOS from Git";
    script = "/etc/nix-git-auto-update.sh";
    serviceConfig = {
      Type = "oneshot";
      User = "root";
      Group = "root";
      TimeoutStartSec = "10min";
      Restart = "on-failure";
      StandardOutput = "journal";
      StandardError = "journal";
    };
  };

  systemd.timers.nix-git-auto-update = {
    description = "Periodic NixOS Git update check";
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnBootSec = "60s";
      OnUnitActiveSec = "5min";
    };
  };
}