#!/usr/bin/env bash
set -euo pipefail

export NIX_CONFIG="${NIX_CONFIG:-}
experimental-features = nix-command flakes
accept-flake-config = false
warn-dirty = false
"

MODE="${1:-validate}"

hosts_json="$(nix eval --json --no-accept-flake-config .#nixosConfigurations --apply builtins.attrNames)"
hosts="$(echo "$hosts_json" | jq -r '.[]')"

echo "Hosts:"
echo "$hosts"

echo
echo "Checking for obvious committed secrets..."
if grep -RInE 'github_pat_|ghp_|access-tokens|hashedPassword[[:space:]]*=' \
  --exclude-dir=.git \
  --exclude=flake.lock \
  .; then
  echo
  echo "WARNING: Potential secrets or password hashes found. Review before committing."
else
  echo "No obvious token patterns found."
fi

echo
echo "Checking Nix formatting with nixpkgs-fmt..."
nix run --no-accept-flake-config nixpkgs#nixpkgs-fmt -- --check .

echo
echo "Running statix lint..."
nix run --no-accept-flake-config nixpkgs#statix -- check .

echo
echo "Evaluating host toplevel derivations..."
for host in $hosts; do
  echo "==> $host"
  nix eval --raw --no-accept-flake-config ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath"
done

if [[ "$MODE" == "dry-run" ]]; then
  echo
  echo "Running dry-run builds for all hosts. This will not create result symlinks."
  for host in $hosts; do
    echo "==> Dry-run build: $host"
    nix build --dry-run --no-link --no-accept-flake-config ".#nixosConfigurations.${host}.config.system.build.toplevel"
  done
fi

echo
echo "Maintenance checks complete."