#!/bin/sh
set -e

if [ -z "$PLUGIN_BINARY_CACHE_URL" ] || [ -z "$PLUGIN_BINARY_CACHE_PUBLIC_KEY" ] || [ -z "$PLUGIN_BINARY_CACHE_PRIVATE_KEY" ]; then
	echo "Please specify 'binary_cache_url', 'binary_cache_public_key', and 'binary_cache_private_key'"
	exit 1
fi

if [ -z "$PLUGIN_AWS_ACCESS_KEY_ID" ] || [ -z "$PLUGIN_AWS_SECRET_ACCESS_KEY" ]; then
	echo "WARNING: 'aws_access_key_id' and 'aws_secret_access_key' are not defined, uploading to s3 will probably fail"
fi

cat >> /etc/nix/nix.conf << EOF
substituters = https://cache.nixos.org/ ${PLUGIN_BINARY_CACHE_URL}
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ${PLUGIN_BINARY_CACHE_PUBLIC_KEY}
EOF

# remove previous result (nix-build fails when it is not a symlink)
rm -rf result

nix-build

# replace symlink by content of closure
result="$(readlink -f result)"
rm result
cp -a "$result" result

# push full nix store to binary cache
# find -print0 / xargs -0 is not used because NULL is not allowed in variables
closures="$(find /nix/store/ -not -path "*.drv" -not -path "/nix/store/.links" -mindepth 1 -maxdepth 1)"

echo "signing closures"
echo "${PLUGIN_BINARY_CACHE_PRIVATE_KEY}" > /run/binary-cache-key.private
echo "$closures" | xargs nix sign-paths --key-file /run/binary-cache-key.private

echo "uploading closures"
echo "$closures" | AWS_ACCESS_KEY_ID="$PLUGIN_AWS_ACCESS_KEY_ID" AWS_SECRET_ACCESS_KEY="$PLUGIN_AWS_SECRET_ACCESS_KEY" xargs nix copy --to "$PLUGIN_BINARY_CACHE_URL"