{ config, ... }:
{
  # Fetch builder NKey from Vault
  vault.secrets.builder-nkey = {
    secretPath = "shared/homelab-deploy/builder-nkey";
    extractKey = "nkey";
    outputDir = "/run/secrets/builder-nkey";
    services = [ "homelab-deploy-builder" ];
  };

  # Configure the builder service
  services.homelab-deploy.builder = {
    enable = true;
    natsUrl = "nats://nats1.home.2rjus.net:4222";
    nkeyFile = "/run/secrets/builder-nkey";

    settings.repos = {
      nixos-servers = {
        url = "git+https://code.t-juice.club/torjus/nixos-servers.git";
        defaultBranch = "master";
      };
      nixos = {
        url = "git+https://code.t-juice.club/torjus/nixos.git";
        defaultBranch = "master";
      };
    };

    timeout = 14400;
    metrics.enable = true;
  };

  # Expose builder metrics for Prometheus scraping
  homelab.monitoring.scrapeTargets = [
    {
      job_name = "homelab-deploy-builder";
      port = 9973;
    }
  ];

  # Ensure builder starts after vault secret is available
  systemd.services.homelab-deploy-builder = {
    after = [ "vault-secret-builder-nkey.service" ];
    requires = [ "vault-secret-builder-nkey.service" ];
  };
}