{
  config,
  pkgs,
  inputs,
  lib,
  ...
}: let
  httpPort = 8000;
  agentPort = 9000;
  domain = "ci.cyplo.dev";
  path = "/var/lib/woodpecker";
  serverContainerName = "woodpecker-server";
  uid = 2061;
  gid = 3061;
  systemUserName = "woodpecker";
  systemGroupName = "woodpecker";
  podmanGid = 994;
  secretSettings = {
    owner = systemUserName;
    group = systemGroupName;
  };
  woodpeckerEnvSecretName = "woodpecker-env";
  woodpeckerEnvSecretPath = "/run/secrets/${woodpeckerEnvSecretName}";
in {
  imports = [../nginx.nix];

  users = {
    users."${systemUserName}" = {
      inherit uid;
      isSystemUser = true;
      isNormalUser = false;
      group = systemGroupName;
      extraGroups = ["podman"];
    };
    groups."${systemGroupName}" = {
      inherit gid;
      members = ["${systemUserName}"];
    };
    groups."podman" = {
      gid = podmanGid;
      members = ["${systemUserName}"];
    };
  };

  services.nginx = {
    virtualHosts = {
      "${domain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:" + toString httpPort;
        };
      };
    };
  };

  sops.secrets."gitea-env" = {
    sopsFile = ./gitea.sops;
    format = "binary";
  };

  sops.secrets."woodpecker-env" =
    {
      sopsFile = ./gitea.sops;
      format = "binary";
      path = woodpeckerEnvSecretPath;
    }
    // secretSettings;

  virtualisation.podman = {
    enable = true;
    defaultNetwork.dnsname.enable = true;
  };
  networking.firewall.allowedTCPPorts = [agentPort];
  virtualisation.oci-containers.containers = {
    "${serverContainerName}" = {
      image = "woodpeckerci/woodpecker-server@sha256:e6027e46a782d50790183b7274a2a2ad3a6c6fb9a645e6af81a16419613c28ea";
      volumes = ["woodpecker-server-data:${path}"];
      environmentFiles = ["${config.sops.secrets.gitea-env.path}"];
      environment = {
        WOODPECKER_OPEN = "false";
        WOODPECKER_ADMIN = "cyplo";
        WOODPECKER_HOST = "https://${domain}";
        WOODPECKER_GITEA = "true";
        WOODPECKER_GITEA_URL = "https://git.cyplo.dev";
      };
      ports = [
        "${toString httpPort}:${toString httpPort}"
        "${toString agentPort}:${toString agentPort}"
      ];
    };
  };
  containers.woodpecker-agent1 = {
    autoStart = true;
    forwardPorts = [
    ];
    bindMounts = {
      "${woodpeckerEnvSecretPath}" = {
        hostPath = "${woodpeckerEnvSecretPath}";
        isReadOnly = true;
      };
      "/var/run/docker.sock" = {
        hostPath = "/var/run/podman/podman.sock";
        isReadOnly = false;
      };
    };
    config = {
      config,
      pkgs,
      lib,
      ...
    }: {
      system.stateVersion = "22.11";
      users = {
        mutableUsers = false;
        allowNoPasswordLogin = true;
        users."${systemUserName}" = {
          inherit uid;
          isSystemUser = true;
          isNormalUser = false;
          group = systemGroupName;
        };
        groups."${systemGroupName}" = {
          inherit gid;
          members = ["${systemUserName}"];
        };
        groups."podman" = {
          gid = podmanGid;
          members = ["${systemUserName}"];
        };
      };

      systemd.services.woodpecker-agent = {
        wantedBy = ["multi-user.target"];
        environment = {
          WOODPECKER_SERVER = "${domain}:${toString agentPort}";
          WOODPECKER_MAX_PROCS = "1";
          WOODPECKER_DEBUG_PRETTY = "true";
          WOODPECKER_LOG_LEVEL = "info";
        };
        serviceConfig = {
          EnvironmentFile = [
            woodpeckerEnvSecretPath
          ];
          ExecStart = "${pkgs.woodpecker-agent}/bin/woodpecker-agent";
          User = systemUserName;
          Group = systemGroupName;
        };
      };
    };
  };
}