{ config, pkgs, lib, ... }:

with lib;

{
  options.services.aiWorkerAccess = mkOption {
    type = types.bool;
    default = false;
    description = "Enable restricted AI worker access to infra repo with deployment capabilities";
  };

  config = mkIf config.services.aiWorkerAccess {
    # Bind mount for infra repo access (read-write for editing)
    fileSystems."/home/ai-worker/infra" = {
      device = "/home/gortium/infra";
      fsType = "none";
      options = [ "bind" ];
    };

    # Restricted sudo access - only specific commands allowed
    security.sudo.extraRules = [
      {
        users = [ "ai-worker" ];
        commands = [
          {
            command = "/run/current-system/sw/bin/nh";
            options = [ "NOPASSWD" ];
          }
          {
            command = "/run/current-system/sw/bin/nixos-rebuild";
            options = [ "NOPASSWD" ];
          }
          {
            command = "/run/current-system/sw/bin/nixpkgs-fmt";
            options = [ "NOPASSWD" ];
          }
          {
            command = "/run/current-system/sw/bin/nix";
            options = [ "NOPASSWD" ];
          }
        ];
      }
    ];

    # Ensure ai-worker has necessary tools available
    environment.systemPackages = with pkgs; [
      nh
      nixpkgs-fmt
    ];

    # Audit logging for ai-worker actions on infra directory
    security.audit.enable = mkDefault true;
    security.audit.rules = [
      "-w /home/gortium/infra -p wa -k infra_changes"
    ];
  };
}