name: nix ci

on:
  push:

jobs:
  eval:
    name: eval flake
    runs-on: ubuntu-latest

    outputs:
      matrix: ${{ steps.eval.outputs.matrix }}

    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@v9

      - name: evaluate packages
        id: eval
        run: echo "matrix=$(nix eval --json .#ghaMatrix)" >> "$GITHUB_OUTPUT"

  build:
    needs: eval
    strategy:
      matrix: ${{ fromJson(needs.eval.outputs.matrix) }}

    name: build ${{ matrix.pkg }}
    runs-on: ${{ matrix.os }}

    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@v9

      - name: setup cachix
        uses: cachix/cachix-action@v13
        with:
          name: uku3lig
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}

      - name: build
        run: nix build -L --accept-flake-config .#${{ matrix.pkg }}

  deploy:
    needs: build
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/master'

    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@v9

      - name: connect to tailscale
        uses: tailscale/github-action@v2
        with:
          oauth-client-id: ${{ secrets.TS_CLIENT_ID }}
          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
          tags: tag:gha

      - name: copy known_hosts
        run: |
          set -eux

          [ ! -d ~/.ssh ] && mkdir -p ~/.ssh
          cp .known_hosts ~/.ssh/known_hosts

      - name: deploy
        run: nix run --inputs-from . 'nixpkgs#deploy-rs' -- -s