{ pkgs, config, lib, ... }:

let
  cfg = config.modules.services.gitea;
  ids = 2703;
  default_port = 3000;
  data_dir = "/var/lib/gitea";
in
{
  options.modules.services.gitea = {
    enable = lib.mkEnableOption "enables gitea";

    # set port options
    port = lib.mkOption {
      type = lib.types.int;
      default = 7703;
      description = "set port for gitea (default: ${toString default_port}";
    };

    # set ssh port
    ssh_port = lib.mkOption {
      type = lib.types.int;
      default = 7567;
      description = "set port for gitea (default: 2222";
    };

    backup = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "enable backups for gitea";
    };
  };

  config = lib.mkIf cfg.enable {
    
    # declare gitea group
    users.groups.gitea = { gid = ids; };

    # declare gitea user
    users.users.gitea = {
      description = lib.mkForce "gitea server user";
      uid = ids;
      isSystemUser = true;
      home = "/var/lib/gitea";
      createHome = true;
      group = "gitea";
      extraGroups = [ "media" ];
    };

    # enable the gitea service
    services.gitea = {
      enable = true;
      user = "gitea";
      group = "gitea";
      stateDir = data_dir;
      appName =  "gitea";
      useWizard = true;
      settings = {
        server = {
          DOMAIN = "git.blakedheld.xyz";
          HTTP_PORT = cfg.port;
          SSH_PORT = cfg.ssh_port;
        };
      };
      database = {
        passwordFile = config.sops.secrets."gitea_database_password".path;
      };
    };
    
    # override umask to make permissions work out
    systemd.services.gitea.serviceConfig = { UMask = lib.mkForce "0007"; };

    # open firewall
    networking.firewall.allowedTCPPorts = [ cfg.port cfg.ssh_port ];

    # internal reverse proxy entry
    services.nginx.virtualHosts."gitea.snowbelle.lan" = {
      enableACME = false;
      forceSSL = true;
      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.port}";
      };
    };
     # external reverse proxy entry
     services.nginx.virtualHosts."gitea.blakedheld.xyz" = {
      enableACME = false;
      forceSSL = true;
      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.port}";
      };
    };

    sops.secrets = {
      "gitea_database_password" = {
        owner = "gitea";
        group = "gitea";
      };
    };

     # add to backups
     modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
  };
}