{ config, pkgs, lib, inputs, ... }:
let
  homelab-deploy = inputs.homelab-deploy.packages.${pkgs.system}.default;

  scheduledBuildScript = pkgs.writeShellApplication {
    name = "scheduled-build";
    runtimeInputs = [ homelab-deploy ];
    text = ''
      NATS_URL="nats://nats1.home.2rjus.net:4222"
      NKEY_FILE="/run/secrets/scheduler-nkey"

      echo "Starting scheduled builds at $(date)"

      # Build all nixos-servers hosts
      homelab-deploy build \
        --nats-url "$NATS_URL" \
        --nkey-file "$NKEY_FILE" \
        nixos-servers --all

      # Build all nixos (gunter) hosts
      homelab-deploy build \
        --nats-url "$NATS_URL" \
        --nkey-file "$NKEY_FILE" \
        nixos --all

      echo "Scheduled builds completed at $(date)"
    '';
  };
in
{
  # Fetch scheduler NKey from Vault
  vault.secrets.scheduler-nkey = {
    secretPath = "shared/homelab-deploy/scheduler-nkey";
    extractKey = "nkey";
    outputDir = "/run/secrets/scheduler-nkey";
    services = [ "scheduled-build" ];
  };

  # Timer: every 2 hours
  systemd.timers.scheduled-build = {
    description = "Trigger scheduled Nix builds";
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "*-*-* 00/2:00:00"; # Every 2 hours at :00
      Persistent = true; # Run missed builds on boot
      RandomizedDelaySec = "5m"; # Slight jitter
    };
  };

  # Service: oneshot that triggers builds
  systemd.services.scheduled-build = {
    description = "Trigger builds for all hosts via NATS";
    after = [ "network-online.target" "vault-secret-scheduler-nkey.service" ];
    requires = [ "vault-secret-scheduler-nkey.service" ];
    wants = [ "network-online.target" ];
    serviceConfig = {
      Type = "oneshot";
      ExecStart = lib.getExe scheduledBuildScript;
    };
  };
}