{ config, pkgs, inputs, lib, ... }:
let
  httpPort = 8000;
  agentPort = 9000;
  domain = "ci.cyplo.dev";
  path = "/var/lib/woodpecker";
in {
  imports = [ ../nginx.nix ];

  systemd.services.systemd-sysctl.enable = lib.mkForce true;

  services.nginx = {
    virtualHosts = {
      "${domain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:" + toString httpPort;
        };
      };
    };
  };

  sops.secrets."gitea-env" = {
    sopsFile = ./gitea.sops;
    format = "binary";
  };

  virtualisation.podman.defaultNetwork.dnsname.enable = true;
  virtualisation.oci-containers.containers.woodpecker-server = {
    image =
      "woodpeckerci/woodpecker-server@sha256:e6027e46a782d50790183b7274a2a2ad3a6c6fb9a645e6af81a16419613c28ea";
    volumes = [ "woodpecker-server-data:${path}" ];
    environmentFiles = [ "${config.sops.secrets.gitea-env.path}" ];
    environment = {
      WOODPECKER_OPEN = "true";
      WOODPECKER_HOST = "https://${domain}";
      WOODPECKER_GITEA = "true";
      WOODPECKER_GITEA_URL = "https://git.cyplo.dev";
    };
    ports = [ "${toString httpPort}:${toString httpPort}" ];
  };

  virtualisation.oci-containers.containers.woodpecker-agent = {
    dependsOn = [ "woodpecker-server" ];
    volumes = [ "/var/run/podman/podman.sock:/var/run/docker.sock" ];
    image =
      "woodpeckerci/woodpecker-agent@sha256:9a98e25ca6fcf7c437ad355cfce53a696c55b9864399a4d456429a20bfb44545";
    environmentFiles = [ "${config.sops.secrets.gitea-env.path}" ];
    environment = {
      WOODPECKER_SERVER = "woodpecker-server:${toString agentPort}";
    };
  };
}