{ config, lib, ... }:

let
  hostCfg = config.homelab.host;
in
{
  config = lib.mkIf config.homelab.deploy.enable {
    # Fetch listener NKey from Vault
    vault.secrets.homelab-deploy-nkey = {
      secretPath = "shared/homelab-deploy/listener-nkey";
      extractKey = "nkey";
    };

    # Enable homelab-deploy listener
    services.homelab-deploy.listener = {
      enable = true;
      tier = hostCfg.tier;
      role = hostCfg.role;
      natsUrl = "nats://nats1.home.2rjus.net:4222";
      nkeyFile = "/run/secrets/homelab-deploy-nkey";
      flakeUrl = "git+https://git.t-juice.club/torjus/nixos-servers.git";
      metrics.enable = true;
    };

    # Expose metrics for Prometheus scraping
    homelab.monitoring.scrapeTargets = [{
      job_name = "homelab-deploy";
      port = 9972;
    }];

    # Ensure listener starts after vault secret is available
    systemd.services.homelab-deploy-listener = {
      after = [ "vault-secret-homelab-deploy-nkey.service" ];
      requires = [ "vault-secret-homelab-deploy-nkey.service" ];
    };
  };
}