{ config, pkgs, ... }:

{
  virtualisation.docker.enable = true;

  users.users.drone-server = {
    isSystemUser = true;
    group = "drone-server";
    home = "/var/lib/drone-server";
    createHome = true;
  };
  users.groups.drone-server = { };
  users.groups.docker.members = [ "drone-server" ];

  systemd.services.drone-server = {
    description = "Drone Server (CI CD Service)";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
    path = [ pkgs.docker ];

    serviceConfig = {
      # Type = "simple";
      Name = "drone-server";
      User = "drone-server";
      Group = "drone-server";
      Restart = "always";
      ExecStartPre= ''
        -${pkgs.docker}/bin/docker stop %n \
        ${pkgs.docker}/bin/docker rm %n
      '';
      ExecStart= ''
        ${pkgs.docker}/bin/docker run --rm --name %n \
        --env-file=/run/secrets/drone-server \
        --env=DRONE_AGENTS_ENABLED=true \
        --env=DRONE_GITEA_SERVER=https://git.cloonar.com \
        --env=DRONE_GITEA_CLIENT_ID=6a7b8c57-bd71-49c8-b67d-c2de68fda649 \
        --env=DRONE_GIT_ALWAYS_AUTH=true \
        --env=DRONE_SERVER_HOST=drone.cloonar.com \
        --env=DRONE_SERVER_PROTO=https \
        --env=DRONE_USER_CREATE=username:dominik.polakovics,admin:true \
        -v /var/lib/drone:/data \
        --publish=8080:80 \
        drone/drone:2
      '';
    };
  };

  services.nginx.enable = true;
  services.nginx.virtualHosts."drone.cloonar.com" = {
    forceSSL = true;
    enableACME = true;
    acmeRoot = null;
    locations."/" = {
      proxyPass = "http://localhost:8080";
    };
  };

  sops.secrets.drone-server = {
    owner = config.systemd.services.drone-server.serviceConfig.User;
    key = "drone";
  };
}