{ config, pkgs, ... }:
let
  cids = import ../modules/staticids.nix;
  domain = "git.cloonar.com";
  
  user = {
    isSystemUser = true;
    uid = cids.uids.gitea;
    group = "gitea";
    home = "/var/lib/gitea";
    createHome = true;
  };
  group = {
    gid = cids.gids.gitea;
  };
in
{
  users.users.gitea = user;
  users.groups.gitea = group;

  security.acme.certs."${domain}" = {
    group = "nginx";
  };

  containers.git = {
    autoStart = true;
    ephemeral = false; # because of ssh key
    privateNetwork = true;
    hostBridge = "server";
    hostAddress = "10.42.97.1";
    localAddress = "10.42.97.50/24";
    bindMounts = {
      "/var/lib/gitea" = {
        hostPath = "/var/lib/gitea/";
        isReadOnly = false;
      };
      "/var/lib/acme/gitea/" = {
        hostPath = config.security.acme.certs.${domain}.directory;
        isReadOnly = true;
      };
      "/run/secrets/gitea-mailer-password" = {
        hostPath = config.sops.secrets.gitea-mailer-password.path;
      };
    };
    config = { lib, config, pkgs, ... }: {
      imports = [
        ../fleet.nix
      ];

      environment.systemPackages = with pkgs; [
        vim                 # my preferred editor
      ];

      networking = {
        hostName = "git";
        useHostResolvConf = false;
        defaultGateway = {
          address = "10.42.96.1";
          interface = "eth0";
        };
        firewall.enable = false;
        nameservers = [ "10.42.97.1" ];
      };

      services.nginx.enable = true;
      services.nginx.virtualHosts."${domain}" = {
        sslCertificate = "/var/lib/acme/gitea/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/gitea/key.pem";
        sslTrustedCertificate = "/var/lib/acme/gitea/chain.pem";
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://localhost:3001/";
        };
      };

      services.gitea = {
        enable = true;
        appName = "Cloonar Gitea server"; # Give the site a name
        mailerPasswordFile = "/run/secrets/gitea-mailer-password";
        settings = {
          server = {
            ROOT_URL = "https://${domain}/";
            HTTP_PORT = 3001;
            DOMAIN = domain;
          };
          openid = {
            ENABLE_OPENID_SIGNIN = false;
            ENABLE_OPENID_SIGNUP = true;
            WHITELISTED_URIS     = "auth.cloonar.com";
          };
          service = {
            DISABLE_REGISTRATION                          = false;
            ALLOW_ONLY_EXTERNAL_REGISTRATION              = true;
            SHOW_REGISTRATION_BUTTON                      = false;
          };
          mailer = {
            ENABLED        = true;
            FROM           = "Gitea Cloonar <gitea@cloonar.com>";
            PROTOCOL       = "smtp+starttls";
            SMTP_ADDR      = "mail.cloonar.com";
            SMTP_PORT      = 587;
            USER           = "gitea@cloonar.com";
          };
          actions.ENABLED=true;
        };
      };

      services.openssh.enable = true;
      users.users.root.openssh.authorizedKeys.keys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
      ];

      users.users.gitea = user;
      users.groups.gitea = group;

      system.stateVersion = "23.05";
    };
  };

  sops.secrets.gitea-runner = {};
  sops.secrets.gitea-mailer-password = {
    owner = "gitea";
    restartUnits = [ "container@git.service" ];
  };
}