{ config, pkgs, lib, ... }:
let
  cfg = config.my.services.buildkite;
  agents = lib.range 1 5;
  secrets = config.age.secrets;

  my-gerrit-hook = name:
    pkgs.writeShellScript "besadii-whitby" ''
      exec -a ${name} ${pkgs.tools.gerrit-hook}/bin/gerrit-hook "$@"
    '';

  buildkiteHooks = pkgs.runCommandNoCC "buildkite-hooks" { } ''
    mkdir -p $out/bin
    ln -s ${my-gerrit-hook "post-command"} $out/bin/post-command
  '';

in
{
  options.my.services.buildkite = with lib; {
    enable = mkEnableOption "buildkite agent";
  };

  config = lib.mkIf cfg.enable {
    # see https://buildkite.com/docs/agent/v3
    # and https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/continuous-integration/buildkite-agents.nix
    services.buildkite-agents = lib.listToAttrs (map
      (n: rec {
        name = "builder-${toString n}";
        value = {
          inherit name;
          enable = true;
          tokenPath = secrets."buildkite/agent".path;
          hooks.post-command = "${buildkiteHooks}/bin/post-command";
          runtimePackages = with pkgs; [
            bash
            coreutils
            curl
            git
            gnutar
            gzip
            jq
            nix
          ];
        };
      })
      agents);

    # Set up a group for all Buildkite agent users
    users = {
      groups.buildkite-agents = { };
      users = builtins.listToAttrs (map
        (n: rec {
          name = "buildkite-agent-builder-${toString n}";
          value = {
            isSystemUser = true;
            group = lib.mkForce "buildkite-agents";
            extraGroups = [ name "docker" ];
          };
        })
        agents);
    };
  };
}