{ config, pkgs, inputs, lib, ... }:
let
  agentPort = 9000;
  domain = "ci.cyplo.dev";
  uid = 2061;
  gid = 3061;
  systemUserName = "woodpecker";
  systemGroupName = "woodpecker";
  podmanGid = 994;
  secretSettings = {
    owner = systemUserName;
    group = systemGroupName;
  };
  woodpeckerEnvSecretName = "woodpecker-env";
  woodpeckerEnvSecretPath = "/run/secrets/${woodpeckerEnvSecretName}";
  woodpeckerNixStorePath = "/var/lib/woodpecker/nix-store";
  woodpeckerAgentContainer = {
    autoStart = true;
    forwardPorts = [ ];
    bindMounts = {
      "${woodpeckerEnvSecretPath}" = {
        hostPath = "${woodpeckerEnvSecretPath}";
        isReadOnly = true;
      };
      "${woodpeckerNixStorePath}" = {
        hostPath = woodpeckerNixStorePath;
        isReadOnly = false;
      };
      "/var/run/docker.sock" = {
        hostPath = "/var/run/podman/podman.sock";
        isReadOnly = false;
      };
    };
    config = { config, pkgs, lib, ... }: {
      system.stateVersion = "22.11";
      users = {
        mutableUsers = false;
        allowNoPasswordLogin = true;
        users."${systemUserName}" = {
          inherit uid;
          isSystemUser = true;
          isNormalUser = false;
          group = systemGroupName;
        };
        groups."${systemGroupName}" = {
          inherit gid;
          members = [ "${systemUserName}" ];
        };
        groups."podman" = {
          gid = podmanGid;
          members = [ "${systemUserName}" ];
        };
      };

      systemd.services.woodpecker-agent = {
        enable = true;
        wantedBy = [ "multi-user.target" ];

        environment = {
          WOODPECKER_SERVER = "${domain}:${toString agentPort}";
          WOODPECKER_MAX_PROCS = "1";
          WOODPECKER_DEBUG_PRETTY = "true";
          WOODPECKER_LOG_LEVEL = "debug";
        };
        serviceConfig = {
          EnvironmentFile = [ woodpeckerEnvSecretPath ];
          ExecStart = "${pkgs.woodpecker-agent}/bin/woodpecker-agent";
          User = systemUserName;
          Group = systemGroupName;
        };
      };
    };
  };
in {
  users = {
    users."${systemUserName}" = {
      inherit uid;
      isSystemUser = true;
      isNormalUser = false;
      group = systemGroupName;
      extraGroups = [ "podman" ];
    };
    groups."${systemGroupName}" = {
      inherit gid;
      members = [ "${systemUserName}" ];
    };
    groups."podman" = {
      gid = podmanGid;
      members = [ "${systemUserName}" ];
    };
  };

  sops.secrets."woodpecker-env" = {
    sopsFile = ../vpsfree1/gitea.sops;
    format = "binary";
    path = woodpeckerEnvSecretPath;
  } // secretSettings;

  virtualisation.podman = { enable = true; };
  systemd.services.woodpecker-make-path = {
    script = ''
      mkdir -p ${woodpeckerNixStorePath}
      chown -R ${systemUserName}:${systemGroupName} ${woodpeckerNixStorePath}
    '';
    serviceConfig = { Type = "oneshot"; };
  };

  containers.woodpecker-agent1 = woodpeckerAgentContainer;
  systemd.services."container@woodpecker-agent1".requires =
    [ "woodpecker-make-path.service" ];
}