# Nix configuration for the Reciproka Kolectivo Forgejo service
{
  config,
  pkgs,
  lib,
  ...
}: let
  flake = builtins.getFlake (toString ../.);
  nixpkgsUnstable = flake.inputs.nixpkgsUnstable;
in {
  services.forgejo = {
    enable = true; # Enable Forgejo
    appName = "Reciproka Kolektivo: Forgejo Service"; # Give the site a name
    database = {
      type = "postgres"; # Database type
      passwordFile = config.age.secrets.forgejo.path;
    };
    domain = "reciproka.dev"; # Domain name
    httpPort = 3002; # Provided unique port
    rootUrl = "https://reciproka.dev/"; # Root web URL
    settings = let
      server = {
        DOMAIN = "reciproka.dev"; # Domain name
        HTTP_PORT = 3002; # Provided unique port
        ROOT_URL = "https://reciproka.dev/"; # Root web URL
      };
      service.DISABLE_REGISTRATION = true;
    in {
      mailer = {
        ENABLED = true;
        FROM = "fonto@reciproka.dev";
      };
      repository = {
        DEFAULT_BRANCH = "consensus";
      };
      service = {
        REGISTER_EMAIL_CONFIRM = true;
      };
      "markup.restructuredtext" = {
        ENABLED = true;
        FILE_EXTENSIONS = ".rst";
        RENDER_COMMAND = "timeout 30s ${pkgs.pandoc}/bin/pandoc +RTS -M512M -RTS -f rst";
        IS_INPUT_FILE = false;
      };
      ui = {
        DEFAULT_THEME = "forgejo-auto"; # Set the default theme
        THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,arc-green,forgejo";
      };
    };
  };

  systemd = {
    services = {
      forgejo = {
        # Ensure forgejo starts after keys are loaded
        after = ["forgejo-dbpass-key.service"];
        wants = ["forgejo-dbpass-key.service"];
      };
    };
  };

  services.postgresql = {
    enable = true; # Ensure postgresql is enabled
    authentication = ''
      local forgejo all ident map=forgejo-users
    '';
    identMap =
      # Map the forgejo user to postgresql
      ''
        forgejo-users forgejo forgejo
      '';
    ensureDatabases = ["forgejo"]; # Ensure the database persists
    ensureUsers = [
      {
        name = "forgejo"; # Ensure the database user persists
        ensurePermissions = {
          # Ensure the database permissions persist
          "DATABASE forgejo" = "ALL PRIVILEGES";
          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
        };
      }
    ];
    package = pkgs.postgresql_16;
  };

  services.postgresqlBackup = {
    enable = true;
    compression = "zstd";
    databases = ["forgejo"];
    startAt = "*-*-* 15:00:00";
  };

  services.nginx = {
    enable = true; # Enable Nginx
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."source.jfdic.org" = {
      enableACME = true; # Use ACME certs
      forceSSL = true; # Force SSL
      locations."/" = {
        return = "301 https://reciproka.dev$request_uri";
      };
    };
    virtualHosts."reciproka.dev" = {
      # Forgejo hostname
      enableACME = true; # Use ACME certs
      forceSSL = true; # Force SSL
      locations."/".proxyPass = "http://localhost:3002/"; # Proxy Forgejo
    };
  };

  security.acme = {
    acceptTerms = true;
    certs = {
      "reciproka.dev".email = "admin@reciproka.co";
      "source.jfdic.org".email = "admin@reciproka.co";
    };
  };
}