# NixOps configuration for the hosts running Gitea

{ config, pkgs, lib, ... }:

{

  services.gitea = {
    enable = true;                                # Enable Gitea
    appName = "JFDI Collective: Gitea Service";   # Give the site a name
    database = {
      type = "postgres";                          # Database type
      passwordFile = "/run/keys/gitea-dbpass";    # Where to find the password
    };
    disableRegistration = true;
    domain = "source.jfdic.org";              # Domain name
    rootUrl = "https://source.jfdic.org/";    # Root web URL
    httpPort = 3002;                          # Provided unique port
    settings = let
      docutils =
        pkgs.python37.withPackages (ps: with ps; [
          docutils                               # Provides rendering of ReStructured Text files
          pygments                               # Provides syntax highlighting
      ]);
    in {
      mailer = {
        ENABLED = true;
        FROM = "source@jfdic.org";
      };
      repository = {
        DEFAULT_BRANCH = "consensus";
      };
      service = {
        REGISTER_EMAIL_CONFIRM = true;
      };
      "markup.restructuredtext" = {
        ENABLED = true;
        FILE_EXTENSIONS = ".rst";
        RENDER_COMMAND = "${docutils}/bin/rst2html.py";
        IS_INPUT_FILE = false;
      };
      ui = {
        DEFAULT_THEME = "gitea";             # Set the default theme
      };
    };
  };

  services.postgresql = {
    enable = true;                # Ensure postgresql is enabled
    authentication = ''
      local gitea all ident map=gitea-users
    '';
    identMap =                    # Map the gitea user to postgresql
      ''
        gitea-users gitea gitea
      '';
    ensureDatabases = [ "gitea" ];    # Ensure the database persists
    ensureUsers = [
      {
        name = "gitea";               # Ensure the database user persists
        ensurePermissions = {         # Ensure the database permissions persist
          "DATABASE gitea" = "ALL PRIVILEGES";
          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
        };
      }
    ];
  };

  services.nginx = {
    enable = true;                                          # Enable Nginx
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."source.jfdic.org" = {                  # Gitea hostname
      enableACME = true;                                    # Use ACME certs
      forceSSL = true;                                      # Force SSL
      locations."/".proxyPass = "http://localhost:3002/";   # Proxy Gitea
    };
  };

  security.acme = {
    acceptTerms = true;
    certs = {
      "source.jfdic.org".email = "source@jfdic.org";
    };
  };

  users.groups.keys.members = [ "gitea" ];   # Required due to NixOps issue #1204

}