{ config, lib, pkgs, ... }:

let
  svc_domain = "git.${config.mine.settings.domain}";

in {
  services.forgejo = {
    enable = true;

    package = pkgs.forgejo.overrideAttrs (old: {
      patches = old.patches ++ [
        ./patches/signin-template.patch
        ./patches/link-accounts-template.patch
      ];
    });

    stateDir = config.mine.zfsMounts."rpool/safe/svcs/forgejo";

    settings = {
      server = {
        DOMAIN = svc_domain;
        ROOT_URL = "https://${svc_domain}";
        HTTPPORT = 3000;
      };

      # sync ldap and forgejo
      "cron.sync_external_users" = {
        RUN_AT_START = true;
        SCHEDULE = "@every 15m";
        UPDATE_EXISTING = true;
      };

      # disable registration, only account linking is possible
      service.DISABLE_REGISTRATION = true;
    };
  };

  # TODO(eyJhb): remove after our ban expires (and nginx config)
  # already issued for this exact set of domains in the last 168 hours: git.fricloud.dk, retry after 2024-08-10T01:34:44Z
  security.acme.certs."git.fricloud.dk".extraDomainNames = [ "git2.fricloud.dk" ];

  services.nginx.virtualHosts."${svc_domain}" = {
    forceSSL = true;
    enableACME = true;
    extraConfig = ''
      client_max_body_size 512M;
    '';
    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.forgejo.settings.server.HTTPPORT}";
  };

  # settings
  mine.settings.forgejo.domain = svc_domain;
}