{ config, ... }:
let
  domain = "git.jalr.de";
  cfg = config.services.forgejo;
  inherit (config.networking) ports;
in
{
  sops.secrets.forgejo-mail = {
    owner = cfg.user;
    sopsFile = ../secrets.yaml;
  };
  services.forgejo = {
    enable = true;
    lfs.enable = true;
    secrets.mailer.PASSWD = config.sops.secrets.forgejo-mail.path;
    settings = {
      DEFAULT.APP_NAME = "jalr's git";
      avatar.DISABLE_GRAVATAR = true;
      mailer = {
        ENABLED = true;
        PROTOCOL = "smtps";
        SMTP_ADDR = "hha.jalr.de";
        FROM = "git@jalr.de";
        USER = "git@jalr.de";
      };
      server = {
        DOMAIN = domain;
        PROTOCOL = "http+unix";
        ROOT_URL = "https://${domain}/";

        DISABLE_ROUTER_LOG = true;
        OFFLINE_MODE = true;

        BUILTIN_SSH_SERVER_USER = "git";
        START_SSH_SERVER = true;
        SSH_PORT = ports.forgejo-ssh.tcp;
        SSH_SERVER_HOST_KEYS = "ssh/forgejo.ed25519";
      };
      service = {
        DEFAULT_ALLOW_CREATE_ORGANIZATION = false;
        DEFAULT_KEEP_EMAIL_PRIVATE = true;
        ENABLE_NOTIFY_MAIL = false;
        REGISTER_MANUAL_CONFIRM = true;
        DISABLE_REGISTRATION = true;
      };
      session = {
        PROVIDER = "file";
        COOKIE_SECURE = true;
      };
      log.level = "Warn";
    };
    dump = {
      enable = true;
      type = "tar.zst";
    };
  };

  networking.firewall.allowedTCPPorts = [ cfg.settings.server.SSH_PORT ];

  services.nginx.virtualHosts."${domain}" = {
    enableACME = true;
    forceSSL = true;

    locations."/" = {
      proxyPass = "http://unix:/run/forgejo/forgejo.sock";
    };

    extraConfig = ''
      client_max_body_size 1G;
    '';
  };
}