{ config, lib, pkgs, ... }:

let
  scriptAddLDAPAuth = pkgs.writeShellScript "forgejo-add-update-ldap-auth.sh" ''
    #!/usr/bin/env sh
    FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}"
    FORGEJO_AUTH_LDAP_NAME="lldap"
    
    # get lldap id if any
    FORGEJO_AUTH_ID=$(gitea --work-path "$FORGEJO_WORK_PATH" admin auth list | grep "$FORGEJO_AUTH_LDAP_NAME" | cut -d$'\t' -f1)
    
    ACTION=""
    EXTRA_ARG=""
    if [ -n "''${FORGEJO_AUTH_ID}" ]; then
        echo "PRERUN-LDAP: Authentication source exists, updating..."
        ACTION="update-ldap"
        EXTRA_ARG="--id $FORGEJO_AUTH_ID"
    else
        echo "PRERUN-LDAP: Authentication source does not exists, adding..."
        ACTION="add-ldap"
    fi

    BIND_USERPASS="$(cat $CREDENTIALS_DIRECTORY/lldap-bind-user-pass)"
    
    gitea \
      --work-path /srv/forgejo/ \
      admin auth "$ACTION" $EXTRA_ARG \
      --name "$FORGEJO_AUTH_LDAP_NAME" \
      --active \
      --security-protocol unencrypted \
      --skip-tls-verify \
      --host ${config.mine.settings.ldap.host} \
      --port ${builtins.toString config.mine.settings.ldap.port} \
      --bind-dn "${config.mine.settings.ldap.bind_dn}" \
      --bind-password "$BIND_USERPASS" \
      --user-filter '(&${config.mine.settings.ldap.user_filter}(|(${config.mine.settings.ldap.attr.uid}=%[1]s)(${config.mine.settings.ldap.attr.email}=%[1]s)))' \
      --admin-filter '${config.mine.settings.ldap.admin_filter}' \
      --username-attribute ${config.mine.settings.ldap.attr.uid} \
      --firstname-attribute ${config.mine.settings.ldap.attr.firstname}  \
      --surname-attribute ${config.mine.settings.ldap.attr.lastname} \
      --email-attribute ${config.mine.settings.ldap.attr.email} \
      --avatar-attribute ${config.mine.settings.ldap.attr.avatar} \
      --synchronize-users \
      --user-search-base '${config.mine.settings.ldap.search_base}' \

    echo "PRERUN-LDAP: Finished adding/updating..."
  '';

in {
  services.forgejo = {
    enable = true;

    stateDir = config.mine.zfsMounts."rpool/safe/svcs/forgejo";

    settings = {
      server = {
        DOMAIN = "git.fricloud.dk";
        ROOT_URL = "https://git.fricloud.dk";
        HTTPPORT = 3000;
      };

      # sync ldap and forgejo
      "cron.sync_external_users" = {
        RUN_AT_START = true;
        SCHEDULE = "@every 15m";
        UPDATE_EXISTING = true;
      };

      service.DISABLE_REGISTRATION = true;
    };
  };

  # add script to add/update ldap source (+ place credential into the service)
  systemd.services.forgejo.preStart = lib.mkAfter (builtins.toString scriptAddLDAPAuth);
  systemd.services.forgejo.serviceConfig.LoadCredential = "lldap-bind-user-pass:${config.age.secrets.lldap-bind-user-pass.path}";

  # TODO(eyJhb): remove after our ban expires (and nginx config)
  # already issued for this exact set of domains in the last 168 hours: git.fricloud.dk, retry after 2024-08-10T01:34:44Z
  security.acme.certs."git.fricloud.dk".extraDomainNames = [ "git2.fricloud.dk" ];

  services.nginx.virtualHosts."git.fricloud.dk" = {
    forceSSL = true;
    enableACME = true;
    extraConfig = ''
      client_max_body_size 512M;
    '';
    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.forgejo.settings.server.HTTPPORT}";
  };
}