let
  sources = import ./nix/sources.nix;
  pkgs = import sources.nixpkgs { };

  nix-pre-commit-hooks = import sources."pre-commit-hooks.nix";

  pre-commit-check = nix-pre-commit-hooks.run {
    src = ./.;
    hooks = {
      nixpkgs-fmt.enable = true;
    };
  };

  scripts = {
    update-sources = ''
      set -e
      git diff --exit-code -s nix/sources.json || (echo "File nix/sources.json has unstaged changes, refusing to update." >&2 && exit 1)
      git diff --cached --exit-code -s nix/sources.json || (echo "File nix/sources.json has staged changes, refusing to update." >&2 && exit 1)
      niv update
      git diff --exit-code -s nix/sources.json && echo "Already up to date." && exit 0
      git commit -m "Update sources" nix/sources.json
    '';

    deploy = ''
      set -e
      # If a deployment to localhost introduces an evaluation error, future
      # deployments will fail since the overlay compat can’t parse the
      # configuration. Overlays aren’t needed to build the krops deploy script.
      export NIX_PATH="$(sed 's/:nixpkgs-overlays=[^:]*//' <<< "$NIX_PATH")"
      $(nix-build --no-out-link deploy.nix -A "$1")
    '';

    unlock = ''
      set -eo pipefail
      machine="$1"
      hostname="$(nix-instantiate --eval --json machines -A "$1".target | ${pkgs.jq}/bin/jq -r . | cut -d@ -f2)"
      # opening luks fails if gpg-agent is not unlocked yet
      pass "devices/$machine/luks" >/dev/null
      ssh \
          -oStrictHostKeyChecking=no \
          -oGlobalKnownHostsFile=<(echo "[$hostname]:2222 ssh-ed25519 $(ssh-keygen -l -f <(ssh-keygen -y -f<(pass "nixos/machines/$machine/initrd-ssh-host-key")) | cut -d' ' -f2)") \
          -4 \
          -p 2222 \
          "root@$hostname" \
          "cat > /crypt-ramfs/passphrase" < <(pass "devices/$machine/luks")
    '';
  };
in
pkgs.mkShell {
  buildInputs = (with pkgs; [
    git
    niv
    nixpkgs-fmt
  ]) ++ (pkgs.lib.mapAttrsToList pkgs.writeShellScriptBin scripts);
  shellHook = ''
    ${pre-commit-check.shellHook}
  '';
}