#!/usr/bin/env bash
# Provision (or update) the watcher instance via OpenTofu, then push the
# latest flake config with nixos-rebuild.
#
# Prereqs:
#   - Watcher image already uploaded to Glance (run scripts/build-image.sh once)
#   - Run inside `nix develop` (auto-sources terraform/infomaniak/.env)
#
# Idempotent: safe to re-run.

set -euo pipefail

REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "$REPO_ROOT"

: "${OS_AUTH_URL:?terraform/infomaniak/.env not loaded — run inside 'nix develop'}"
: "${TF_VAR_ssh_public_key:?TF_VAR_ssh_public_key missing — paste pubkey into .env}"

echo "==> tofu apply"
pushd terraform/infomaniak >/dev/null
tofu init -upgrade
tofu apply -auto-approve
IPV4=$(tofu output -raw watcher_ipv4)
popd >/dev/null

echo "==> watcher at $IPV4"

echo "==> waiting for SSH"
for _ in $(seq 1 60); do
  if ssh -o StrictHostKeyChecking=accept-new -o ConnectTimeout=3 \
       -o BatchMode=yes tyro@"$IPV4" true 2>/dev/null; then
    break
  fi
  sleep 2
done

echo "==> nixos-rebuild switch"
nixos-rebuild switch \
  --flake "$REPO_ROOT#watcher" \
  --target-host "tyro@$IPV4" \
  --use-remote-sudo

echo
echo "Done."
echo "  ssh tyro@$IPV4"