set -o errexit
set -o pipefail

if [ $# -lt 2 ]; then
  echo
  echo "Install NixOS to the host system with secrets and encryption"
  echo "Usage: $0 <hostname> <ip> (user)"
  exit 1
fi

if [ ! -e flake.nix ]
    then
    echo "flake.nix not found. Searching down."
    while [ ! -e flake.nix ]
        do
        if [ $PWD = "/" ]
            then
            echo "Found root. Aborting."
            exit 1
            else
            cd ..
        fi
    done
fi

hostname=$1
ipaddress=$2
pwpath="machines/$hostname/secrets"
hostkey="ssh_host_ed25519_key"
initrdkey="initrd_ed25519_key"

# Create a temporary directory
temp=$(mktemp -d)

# Function to cleanup temporary directory on exit
cleanup() {
  rm -rf "$temp"
}
trap cleanup EXIT

# Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/etc/ssh/"
install -d -m755 "$temp/etc/wireguard/"

##TODO:: wg genkey + pubkey --> /etc/wireguard/wg.private
diskKey=$(sops -d $pwpath/disk.key)
echo "$diskKey" > /tmp/secret.key

sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"

sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"

sops -d "$pwpath/wg.private" > "$temp/etc/wireguard/wg.private"
# # Set the correct permissions so sshd will accept the key
chmod 600 "$temp/etc/ssh/$hostname"
chmod 600 "$temp/etc/ssh/initrd"

# Install NixOS to the host system with our secrets and encription
# optional --build-on-remote
if [ $# = 3 ]
  then
  nix run github:numtide/nixos-anywhere -- --extra-files "$temp"   \
 --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname $3@$ipaddress

else
nix run github:numtide/nixos-anywhere -- --extra-files "$temp"   \
 --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress
fi