{ pkgs, config, lib, ... }:

let
  service = "gitea";
  cfg = config.modules.services.${service};
  sec = config.sops.secrets;
  homelab = config.modules.homelab;
in
{
  options.modules.services.${service} = {
    enable = lib.mkEnableOption "enables ${service}";

    # set port options
    port = lib.mkOption {
      type = lib.types.int;
      default = 7703;
      description = "set port for ${service} (default: ${toString cfg.port}";
    };
    ssh_port = lib.mkOption {
      type = lib.types.int;
      default = 7567;
      description = "set port for ${service} (default: ${toString cfg.port}";
    };
    url = lib.mkOption {
      type = lib.types.str;
      default = "git.${homelab.base_domain}";
      description = "set domain for ${service}";
    };
    data_dir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/${service}";
      description = "set data directory for ${service}";
    };
    ids = lib.mkOption {
      type = lib.types.int;
      default = cfg.port;
      description = "set uid and pid of ${service} user (matches port by default)";
    };
    backup = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "enable backups for ${service}";
    };
  };

  config = lib.mkIf cfg.enable {
    
    # declare ${service} group
    users.groups.${service} = { gid = lib.mkForce cfg.ids; };

    # declare ${service} user
    users.users.${service} = {
      description = lib.mkForce "${service} server user";
      uid = lib.mkForce cfg.ids;
      isSystemUser = true;
      shell = pkgs.bash; 
      home = cfg.data_dir;
      createHome = true;
      group = service;
      extraGroups = [];
    };

    # declare the gitea service
    services.gitea = {
      enable = true;
      user = "gitea";
      group = "gitea";
      stateDir = cfg.data_dir;
      appName =  "gitea";
      settings = {
        server = {
          ROOT_URL = "https://git.blakedheld.xyz";
          DOMAIN = "git.blakedheld.xyz";
          HTTP_PORT = cfg.port;
          SSH_PORT = cfg.ssh_port;
          START_SSH_SERVER = true;
          ENABLE_PUSH_CREATE_USER = true;

        };
      };
      database = {
        passwordFile = "${toString config.sops.secrets."gitea_database_password".path}";
      };
    };

    # override umask to make permissions work out
    systemd.services.${service}.serviceConfig = {
      UMask = lib.mkForce "0007";
    };

    # open firewall
    networking.firewall.allowedTCPPorts = [ cfg.port cfg.ssh_port ];

    # add to caddy for reverse proxy
    services.caddy.virtualHosts."${cfg.url}" = {
      serverAliases = [ "git.${homelab.public_domain}" ];
      extraConfig = ''
        tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
        reverse_proxy localhost:${toString cfg.port} {
        }
      '';
    };

    # add to glance
    modules.services.glance.links.services = [{
      title = service;
      url = "https://git.${homelab.public_domain}";
      error-url = "http://${homelab.host_ip}:${toString cfg.port}";
      check-url = "http://${homelab.host_ip}:${toString cfg.port}";
      icon = "di:${service}"; }];

    # manage secrets with sops
    sops.secrets = {
      "${service}_database_password" = {
        owner = service;
        group = service;
      };
    };

    # add to backups
    modules.system.backups.baks = {
      ${service} = { paths = [ cfg.data_dir ]; };
    };
  };
}