# NixOps configuration for the hosts running Forgejo
{
  config,
  pkgs,
  lib,
  sources,
  ...
}: let
  sources = import ../nix/sources.nix;
  unstable = import sources.nixpkgsUnstable {};
in {
  services.forgejo = {
    enable = true; # Enable Forgejo
    database = {
      type = "postgres"; # Database type
      passwordFile = "/run/keys/forgejo-dbpass"; # Where to find the password
    };
    settings = let
      docutils = pkgs.python39.withPackages (ps:
        with ps; [
          docutils # Provides rendering of ReStructured Text files
          pygments # Provides syntax highlighting
        ]);
    in {
      DEFAULT.APP_NAME = "mcwhirter.io: Forgejo Service"; # Give the site a name
      mailer = {
        ENABLED = true;
        FROM = "forgejo@mcwhirter.io";
      };
      repository = {DEFAULT_BRANCH = "consensus";};
      service = {REGISTER_EMAIL_CONFIRM = true;};
      server = {
        DOMAIN = "source.mcwhirter.io"; # Domain name
        HTTP_PORT = 3002; # Provided unique port
        ROOT_URL = "https://source.mcwhirter.io/"; # Root web URL
      };
      service = {
        DISABLE_REGISTRATION = true;
      };
      "markup.restructuredtext" = {
        ENABLED = true;
        FILE_EXTENSIONS = ".rst";
        RENDER_COMMAND = "${docutils}/bin/rst2html.py";
        IS_INPUT_FILE = false;
      };
      ui = {
        DEFAULT_THEME = "forgejo-auto"; # Set the default theme
        THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,arc-green,gitea";
      };
    };
  };

  systemd = {
    services = {
      forgejo = {
        # Ensure forgejo starts after nixops keys are loaded
        after = ["forgejo-dbpass-key.service"];
        wants = ["forgejo-dbpass-key.service"];
      };
    };
  };

  services.postgresql = {
    enable = true; # Ensure postgresql is enabled
    authentication = ''
      local forgejo all ident map=forgejo-users
    '';
    identMap =
      # Map the forgejo user to postgresql
      ''
        forgejo-users forgejo forgejo
      '';
    ensureDatabases = ["forgejo"]; # Ensure the database persists
    ensureUsers = [
      {
        name = "forgejo"; # Ensure the database user persists
        ensureDBOwnership = true;
      }
    ];
  };

  services.postgresqlBackup.databases = ["forgejo"];

  services.nginx = {
    enable = true; # Enable Nginx
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."source.mcwhirter.io" = {
      # Forgejo hostname
      enableACME = true; # Use ACME certs
      forceSSL = true; # Force SSL
      locations."/".proxyPass = "http://localhost:3002/"; # Proxy Forgejo
    };
    virtualHosts."git.mcwhirter.io" = {
      # Hostname to be redirected
      enableACME = true; # Use ACME certs
      forceSSL = true; # Force SSL
      globalRedirect = "source.mcwhirter.io"; # Redirect permanently to the host
    };
    virtualHosts."code.mcwhirter.io" = {
      # Hostname to be redirected
      enableACME = true; # Use ACME certs
      forceSSL = true; # Force SSL
      globalRedirect = "source.mcwhirter.io"; # Redirect permanently to the host
    };
  };

  security.acme = {
    acceptTerms = true;
    certs = {
      "code.mcwhirter.io".email = "craige@mcwhirter.io";
      "git.mcwhirter.io".email = "craige@mcwhirter.io";
      "source.mcwhirter.io".email = "craige@mcwhirter.io";
    };
  };

  users.groups.keys.members = ["forgejo"]; # Required due to NixOps issue #1204
}