{ config, pkgs, ... }:

{
  systemd.services.clerie-update-nixfiles = {
    environment = {
      GIT_SSH_COMMAND = "ssh -o UserKnownHostsFile=${pkgs.writeText "known_hosts" "git.clerie.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHQDwfRlw6L+pkLjXDgW2BUWlY1zNEDtVhNEsClgqaL"} -i %d/clerie-update-nixfiles-ssh";
      # nix likes a home directory to place the cache there
      HOME = "/var/lib/clerie-update-nixfiles";
    };
    serviceConfig = {
      Type = "oneshot";
      ExecStart = pkgs.clerie-update-nixfiles + "/bin/clerie-update-nixfiles";
      StateDirectory = "clerie-update-nixfiles";
      WorkingDirectory = "/var/lib/clerie-update-nixfiles";
      DynamicUser = true;
      # this sets the correct file permissions for the ssh key because we use DynamicUser
      LoadCredential = "clerie-update-nixfiles-ssh:${config.sops.secrets."clerie-update-nixfiles-ssh".path}";
    };
    startAt = "*-*-* 03:03:00";
  };
}