{ config, pkgs, ... }:

{
  systemd.services.nixfiles-updated-inputs = {
    environment = {
      GIT_SSH_COMMAND = "ssh -o UserKnownHostsFile=${pkgs.writeText "known_hosts" "git.clerie.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHQDwfRlw6L+pkLjXDgW2BUWlY1zNEDtVhNEsClgqaL"} -i %d/nixfiles-updated-inputs-ssh";
      # nix likes a home directory to place the cache there
      HOME = "/var/lib/nixfiles-updated-inputs";
    };
    serviceConfig = {
      Type = "oneshot";
      ExecStart = pkgs.nixfiles-updated-inputs + "/bin/nixfiles-updated-inputs";
      StateDirectory = "nixfiles-updated-inputs";
      WorkingDirectory = "/var/lib/nixfiles-updated-inputs";
      DynamicUser = true;
      # this sets the correct file permissions for the ssh key because we use DynamicUser
      LoadCredential = "nixfiles-updated-inputs-ssh:${config.age.secrets."nixfiles-updated-inputs-ssh".path}";
    };
    startAt = "*-*-* 03:03:00";
  };
}