{ config, ... }:

{
  services.forgejo = {
    enable = true;

    stateDir = config.mine.zfsMounts."rpool/safe/svcs/forgejo";

    settings = {
      server = {
        DOMAIN = "git.fricloud.dk";
        ROOT_URL = "https://git.fricloud.dk";
        HTTPPORT = 3000;
      };

      # sync ldap and forgejo
      "cron.sync_external_users" = {
        RUN_AT_START = true;
        SCHEDULE = "@every 15m";
        UPDATE_EXISTING = true;
      };

      service.DISABLE_REGISTRATION = true;
    };
  };

  # test = pkgs.writeScriptBin "test" ''
  #   gitea \
  #     --work-path /srv/forgejo/ \
  #     admin auth add-ldap \
  #     --name lldap \
  #     --active \
  #     --security-protocol unencrypted \
  #     --skip-tls-verify \
  #     --host localhost \
  #     --port 3890 \
  #     --user-filter '(&(memberof=cn=user,ou=groups,dc=fricloud,dc=dk)(|(uid=%[1]s)(mail=%[1]s)))' \
  #     --admin-filter '(memberof=cn=lldap_admin,ou=groups,dc=fricloud,dc=dk)' \
  #     --username-attribute uid \
  #     --firstname-attribute givenName  \
  #     --surname-attribute sn \
  #     --email-attribute mail \
  #     --avatar-attribute jpegPhoto \
  #     --synchronize-users \
  #     --user-search-base 'ou=people,dc=fricloud,dc=dk' \
  # '';


  # TODO(eyJhb): remove after our ban expires (and nginx config)
  # already issued for this exact set of domains in the last 168 hours: git.fricloud.dk, retry after 2024-08-10T01:34:44Z
  security.acme.certs."git.fricloud.dk".extraDomainNames = [ "git2.fricloud.dk" ];

  services.nginx.virtualHosts."git.fricloud.dk" = {
    forceSSL = true;
    enableACME = true;
    extraConfig = ''
      client_max_body_size 512M;
    '';
    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.forgejo.settings.server.HTTPPORT}";
  };
}