{ config, lib, pkgs, ... }:
let
  cfg = config.services.gitea;
in
{
  sops.secrets.gitea-mail = {
    owner = cfg.user;
    sopsFile = ../secrets.yaml;
  };
  systemd.services.gitea.serviceConfig.SupplementaryGroups = lib.singleton "keys";

  services.gitea = {
    enable = true;

    rootUrl = "https://git.sbruder.de/";
    appName = "sbrudergit";
    cookieSecure = true;
    log.level = "Warn";
    lfs = {
      enable = true;
      contentDir = "/data/gitea/lfs/";
    };
    enableUnixSocket = true;
    ssh = {
      clonePort = 2022;
    };
    database.type = "postgres";
    mailerPasswordFile = config.sops.secrets.gitea-mail.path;
    settings = {
      mailer = {
        ENABLED = true;
        HOST = "vueko.sbruder.de:587";
        FROM = "gitea@sbruder.de";
        USER = "gitea@sbruder.de";
      };
      avatar = {
        DISABLE_GRAVATAR = true;
      };
      server = {
        # privacy
        DISABLE_ROUTER_LOG = true;
        OFFLINE_MODE = true;

        # internal ssh server
        BUILTIN_SSH_SERVER_USER = "git";
        START_SSH_SERVER = true;
        SSH_SERVER_HOST_KEYS = "ssh/gitea.ed25519,ssh/gitea.rsa";
      };
      service = {
        DEFAULT_KEEP_EMAIL_PRIVATE = true;
        ENABLE_NOTIFY_MAIL = true;
        NO_REPLY_ADDRESS = "users.git.sbruder.de";
        REGISTER_EMAIL_CONFIRM = true;
      };
      session = {
        PROVIDER = "file";
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ cfg.ssh.clonePort ];

  services.nginx.virtualHosts."git.sbruder.de" = {
    enableACME = true;
    forceSSL = true;

    locations."/" = {
      proxyPass = "http://unix:/run/gitea/gitea.sock";
    };
  };
}