{ config, lib, ... }:
let
  cfg = config.services.forgejo;
  srv = cfg.settings.server;
in
{
  services.forgejo = {
    enable = true;

    database = {
      type = "postgres";
      host = "db-01.tailnet.escapeangle.com";
    };

    lfs.enable = true;

    settings = {
      server = {
        DOMAIN = "git.escapeangle.com";
        ROOT_URL = "https://${srv.DOMAIN}";
        HTTP_PORT = 3000;
      };

      service = {
        DISABLE_REGISTRATION = false;
        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
        SHOW_REGISTRATION_BUTTON = false;
      };

      openid = {
        ENABLE_OPENID_SIGNIN = false;
        ENABLE_OPENID_SIGNUP = true;
        WHITELISTED_URIS = "auth.escapeangle.com";
      };

      storage = {
        STORAGE_TYPE = "minio";
        MINIO_ENDPOINT = "daf6ae2391d4d68ecf3c5af2f1540f5c.r2.cloudflarestorage.com";
        MINIO_BUCKET = "forgejo";
        MINIO_LOCATION = "auto";
        MINIO_USE_SSL = true;
        MINIO_CHECKSUM_ALGORITHM = "md5";
      };

      mailer = {
        ENABLED = true;
        SMTP_ADDR = "mail.escapeangle.com";
        FROM = "forgejo@escapeangle.com";
        USER = "forgejo@escapeangle.com";
      };
    };

    secrets = {
      storage = {
        MINIO_ACCESS_KEY_ID = config.sops.secrets."forgejo/access-key-id".path;
        MINIO_SECRET_ACCESS_KEY = config.sops.secrets."forgejo/secret-access-key".path;
      };

      mailer = {
        PASSWD = config.sops.secrets."forgejo/mailer-password".path;
      };
    };
  };

  systemd.services.forgejo.preStart = ''
    auth="${lib.getExe config.services.forgejo.package} admin auth"

    echo "Trying to find existing sso configuration for Authelia"...
    set +e -o pipefail
    id="$($auth list | grep "Authelia.*OAuth2" |  cut -d'	' -f1)"
    found=$?
    set -e +o pipefail

    if [[ $found = 0 ]]; then
      echo Found sso configuration at id=$id, updating it if needed.
      $auth update-oauth \
        --id       $id \
        --name     "Authelia" \
        --provider openidConnect \
        --key      forgejo \
        --secret   $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \
        --auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration
    else
      echo Did not find any sso configuration, creating one with name Authelia.
      $auth add-oauth \
        --name     Authelia \
        --provider openidConnect \
        --key      forgejo \
        --secret   $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \
        --auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration
    fi
  '';

  services.nginx.virtualHosts."git.escapeangle.com" = {
    forceSSL = true;
    enableACME = true;
    extraConfig = ''
      client_max_body_size 512M;
    '';
    locations."/" = {
      proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
    };
  };

  sops.secrets = {
    "forgejo/mailer-password" = {
      owner = "forgejo";
      sopsFile = ../secrets.yaml;
    };
    "forgejo/oidc-secret" = {
      owner = "forgejo";
      sopsFile = ../secrets.yaml;
    };
    "forgejo/access-key-id" = {
      owner = "forgejo";
      sopsFile = ../secrets.yaml;
    };
    "forgejo/secret-access-key" = {
      owner = "forgejo";
      sopsFile = ../secrets.yaml;
    };
  };
}