{ config, ... }:
let
  cids = import ../modules/staticids.nix;
  domain = "git.cloonar.com";
  
  user = {
    isSystemUser = true;
    uid = cids.uids.gitea;
    group = "gitea";
    home = "/var/lib/gitea";
    createHome = true;
  };
  group = {
    gid = cids.gids.gitea;
  };
in
{
  users.users.gitea = user;
  users.groups.gitea = group;

  security.acme.certs."${domain}" = {
    group = "nginx";
  };

  containers.git = {
    autoStart = true;
    ephemeral = false; # because of ssh key
    macvlans = [ "vserver" ];
    bindMounts = {
      "/var/lib/gitea" = {
        hostPath = "/var/lib/gitea/";
        isReadOnly = false;
      };
      "/var/lib/acme/gitea/" = {
        hostPath = "${config.security.acme.certs.${domain}.directory}";
        isReadOnly = true;
      };
    };
    config = { lib, config, pkgs, ... }: {
      imports = [
        ../fleet.nix
      ];

      networking = {
        hostName = "git";
        nameservers = [ "10.42.97.10" ];
        interfaces.mv-vserver = {
          useDHCP = true;
        };
        firewall = {
          enable = true;
          allowedTCPPorts = [ 22 80 443 ];
        };
      };

      services.nginx.enable = true;
      services.nginx.virtualHosts."${domain}" = {
        sslCertificate = "/var/lib/acme/gitea/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/gitea/key.pem";
        sslTrustedCertificate = "/var/lib/acme/gitea/chain.pem";
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://localhost:3001/";
        };
      };

      services.gitea = {
        enable = true;
        appName = "Cloonar Gitea server"; # Give the site a name
        settings = {
          server = {
            ROOT_URL = "https://${domain}/";
            HTTP_PORT = 3001;
            DOMAIN = domain;
          };
          openid = {
            ENABLE_OPENID_SIGNIN = false;
            ENABLE_OPENID_SIGNUP = true;
            WHITELISTED_URIS     = "auth.cloonar.com";
          };
          service = {
            DISABLE_REGISTRATION                          = false;
            ALLOW_ONLY_EXTERNAL_REGISTRATION              = true;
            SHOW_REGISTRATION_BUTTON                      = false;
          };
          actions.ENABLED=true;
        };
      };

      services.openssh.enable = true;
      users.users.root.openssh.authorizedKeys.keys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
      ];

      users.users.gitea = user;
      users.groups.gitea = group;

      system.stateVersion = "23.05";
    };
  };

  services.gitea-actions-runner.instances.main = {
    enable = true;
    url = "https://git.cloonar.com";
    name = "main";
    tokenFile = "/run/secrets/gitea-runner-token";
    labels = [
      "ubuntu-latest:docker://shivammathur/node:latest"
    ];
    settings = {
      container = {
        network = "server";
      };
    };
  };
}