{ config, pkgs, lib, ... }:

let cfg = config.services.gitea;
in {
  users.users.git = {
    description = "Gitea Service";
    home = cfg.stateDir;
    useDefaultShell = true;
    group = "git";
    isSystemUser = true;
  };
  users.groups.git = { };

  services.gitea = {
    enable = true;
    user = "git";
    domain = "tulpa.dev";
    appName = "${cfg.domain}: git in plurality";
    rootUrl = "https://${cfg.domain}/";
    httpAddress = "127.0.0.1";
    httpPort = 49381;
    log.level = "Error";
    settings = {
      i18n = {
        LANGS = "en-US";
        NAMES = "glico";
      };
      metrics = {
        ENABLED = true;
        ENABLED_ISSUE_BY_LABEL = true;
        ENABLED_ISSUE_BY_REPOSITORY = true;
      };
      other.SHOW_FOOTER_VERSION = false;
      security.INSTALL_LOCK = true;
      service = {
        DISABLE_REGISTRATION = lib.mkForce true;
        REGISTER_MANUAL_CONFIRM = true;
        REQUIRE_SIGNIN_VIEW = false;
        REGISTER_EMAIL_CONFIRM = false;
        ENABLE_NOTIFY_MAIL = false;
        ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
        ENABLE_CAPTCHA = false;
        DEFAULT_KEEP_EMAIL_PRIVATE = true;
        DEFAULT_ALLOW_CREATE_ORGANIZATION = true;
        DEFAULT_ENABLE_TIMETRACKING = true;
      };
      server.SSH_DOMAIN = "ssh.tulpa.dev";
    };
    dump.enable = false;
    database.user = "git";
  };

  services.cfdyndns.records = [ "lufta.tulpa.dev" "tulpa.dev" ];

  services.nginx.virtualHosts."lufta.tulpa.dev" = {
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString cfg.httpPort}";
      proxyWebsockets = true;
    };
    forceSSL = true;
    useACMEHost = "tulpa.dev";
    extraConfig = ''
      access_log /var/log/nginx/gitea.access.log;
    '';
  };

  services.nginx.virtualHosts."tulpa.dev" = {
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString cfg.httpPort}";
      proxyWebsockets = true;
    };
    forceSSL = true;
    useACMEHost = "tulpa.dev";
    extraConfig = ''
      access_log /var/log/nginx/gitea.access.log;
    '';
  };
}