{ config, pkgs, ... }:
let
  cfg = config.services.gitea;
in
{
  krops.secrets.gitea-mail.owner = cfg.user;
  users.users."${cfg.user}".extraGroups = [ "keys" ];

  services.gitea = {
    enable = true;

    # FIXME use stable version once it is released
    package = pkgs.gitea.overrideAttrs (o: o // rec {
      version = "1.14.0-rc2";

      src = pkgs.fetchurl {
        url = "https://github.com/go-gitea/gitea/releases/download/v${version}/gitea-src-${version}.tar.gz";
        sha256 = "1w7q049gi534lhdgqs6jwr49bnr54ndv4a3w88izp5kd2nhwm9zy";
      };
    });

    rootUrl = "https://git.sbruder.de/";
    appName = "sbrudergit";
    cookieSecure = true;
    log.level = "Warn";
    lfs = {
      enable = true;
      contentDir = "/data/gitea/lfs/";
    };
    enableUnixSocket = true;
    ssh = {
      clonePort = 2022;
    };
    database.type = "postgres";
    mailerPasswordFile = config.krops.secrets.gitea-mail.path;
    settings = {
      mailer = {
        ENABLED = true;
        HOST = "vueko.sbruder.de:587";
        FROM = "gitea@sbruder.de";
        USER = "gitea@sbruder.de";
      };
      avatar = {
        DISABLE_GRAVATAR = true;
      };
      server = {
        # privacy
        DISABLE_ROUTER_LOG = true;
        OFFLINE_MODE = true;

        # internal ssh server
        BUILTIN_SSH_SERVER_USER = "git";
        START_SSH_SERVER = true;
      };
      service = {
        DEFAULT_KEEP_EMAIL_PRIVATE = true;
        ENABLE_NOTIFY_MAIL = true;
        NO_REPLY_ADDRESS = "users.git.sbruder.de";
        REGISTER_EMAIL_CONFIRM = true;
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ cfg.ssh.clonePort ];

  services.nginx.virtualHosts."git.sbruder.de" = {
    enableACME = true;
    forceSSL = true;

    locations."/" = {
      proxyPass = "http://unix:/run/gitea/gitea.sock";
    };
  };
}