{ config, ... }:
let
  domain = "git.cloonar.com";
  ip = "10.42.97.3";
in
{
  users.users.gitea = {
    isSystemUser = true;
    group = "gitea";
    home = "/var/lib/gitea";
    createHome = true;
  };
  users.groups.gitea = { };
  services.nginx.virtualHosts."${domain}" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "https://${ip}:443/";
      extraConfig = ''
        proxy_set_header=Host ${domain}
      '';
    };
  };

  environment.etc."gitea/app.ini".text = ''
    APP_NAME = Cloonar Gitea server
    RUN_MODE = prod

    [cron.update_checker]
    ENABLED=false

    [database]
    DB_TYPE=sqlite3
    PATH=/bitnami/gitea/data/gitea.db

    [openid]
    ENABLE_OPENID_SIGNIN=false
    ENABLE_OPENID_SIGNUP=true
    WHITELISTED_URIS=auth.cloonar.com

    [server]
    DISABLE_SSH=false
    DOMAIN=git.cloonar.com
    HTTP_ADDR=0.0.0.0
    HTTP_PORT=443
    PROTOCOL=https
    ROOT_URL=https://git.cloonar.com/
    SSH_PORT=22
    CERT_FILE=/opt/bitnami/gitea/ssl/fullchain.pem
    KEY_FILE=/opt/binami/gitea/ssl/key.pem

    [service]
    ALLOW_ONLY_EXTERNAL_REGISTRATION=true
    DISABLE_REGISTRATION=false
    SHOW_REGISTRATION_BUTTON=false

    [webhook]
    ALLOWED_HOST_LIST=drone.cloonar.com
  '';

  virtualisation = {
    oci-containers.containers = {
      gitea = {
        image = "bitnami/gitea:1";
        volumes = [
          "/var/lib/gitea:/opt/bitnami/gitea"
          "/etc/gitea/app.ini:/opt/bitnami/gitea/custom/conf/app.ini:ro"
          "/var/lib/acme/git.cloonar.com:/opt/bitnami/gitea/ssl:ro"
        ];
        environment = {
          USER_UID = config.users.users.gitea.uid;
          USER_GID = config.users.groups.gitea.gid;
        };
        extraOptions = [
          "--ip=${ip}"
        ];
      };
    };
  };
}