{ config, pkgs, inputs, lib, system, ... }:
let
  httpPort = 8083;
  sshPort = 22;
  domain = "git.cyplo.dev";
  emailDomain = "peninsula.industries";
  baseurl = "https://${domain}";
  path = "/var/lib/gitea";
  mailgunSmtpSecretName = "gitea-mailgun-smtp-password";
  mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}";
  uid = 2051;
  gid = 3051;
  systemUserName = "gitea";
  systemGroupName = "gitea";
  users = {
    users."${systemUserName}" = {
      inherit uid;
      isSystemUser = true;
      isNormalUser = false;
      group = systemGroupName;
    };
    groups."${systemGroupName}" = {
      inherit gid;
      members = [ "${systemUserName}" "nginx" ];
    };
  };
in {
  imports = [ ../nginx.nix ];

  inherit users;

  boot.kernel.sysctl = { "net.ipv4.ip_unprivileged_port_start" = 0; };
  systemd.services.systemd-sysctl.enable = lib.mkForce true;

  networking.firewall.allowedTCPPorts = [ sshPort ];
  services.nginx = {
    virtualHosts = {
      "${domain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:" + toString httpPort;
        };
      };
    };
  };

  sops.secrets."${mailgunSmtpSecretName}" = {
    sopsFile = ./mailgun.sops.yaml;
    path = mailgunSmtpPasswordPath;
    owner = systemUserName;
    group = systemGroupName;
  };

  containers.gitea-lfs = {
    autoStart = true;
    forwardPorts = [
      {
        inherit httpPort;
        containerPort = httpPort;
      }
      {
        containerPort = sshPort;
        hostPort = sshPort;
      }
    ];
    bindMounts = {
      "${path}" = {
        hostPath = "${path}";
        isReadOnly = false;
      };
      "${mailgunSmtpPasswordPath}" = {
        hostPath = "${mailgunSmtpPasswordPath}";
        isReadOnly = true;
      };
    };
    config = { config, pkgs, lib, ... }: {
      system.stateVersion = "22.11";
      users = users // {
        mutableUsers = false;
        allowNoPasswordLogin = true;
      };
      disabledModules = [ "services/misc/gitea.nix" ];
      imports =
        [ "${inputs.nixpkgs-stable}/nixos/modules/services/misc/gitea.nix" ];
      services.gitea = {
        enable = true;
        stateDir = path;
        user = systemUserName;
        mailerPasswordFile = mailgunSmtpPasswordPath;
        lfs.enable = true;
        settings = {
          service.DISABLE_REGISTRATION = true;
          security.INSTALL_LOCK = true;
          oauth2.ENABLE = false;
          log.LEVEL = "Info";
          actions.ENABLED = true;
          "markup.mermaid" = {
            ENABLED = true;
            FILE_EXTENSIONS = ".md";
            RENDER_COMMAND =
              "${pkgs.asciidoc-full}/bin/asciidoc --out-file=- -";
            IS_INPUT_FILE = false;
          };
          server = {
            ROOT_URL = baseurl;
            DOMAIN = domain;
            START_SSH_SERVER = true;
            SSH_PORT = sshPort;
            HTTP_PORT = httpPort;
            SSH_LISTEN_PORT = sshPort;
            DISABLE_SSH = false;
          };
          mailer = {
            ENABLED = true;
            FROM = "git.cyplo.dev <gitea@${emailDomain}>";
            MAILER_TYPE = "smtp";
            HOST = "smtp.eu.mailgun.org:465";
            IS_TLS_ENABLED = true;
            USER = "postmaster@${emailDomain}";
          };
        };
      };
    };
  };
}