{ pkgs, lib, config, ... }:

with lib;
let
  cfg = config.fudo.git;

  databaseOpts = { ... }: {
    options = {
      name = mkOption {
        type = types.str;
        description = "Database name.";
      };
      hostname = mkOption {
        type = types.str;
        description = "Hostname of the database server.";
      };
      user = mkOption {
        type = types.str;
        description = "Database username.";
      };
      password-file = mkOption {
        type = types.path;
        description = "File containing the database user's password.";
      };
    };
  };

in {
  options.fudo.git = {
    enable = mkEnableOption "Enable Fudo git web server.";

    hostname = mkOption {
      type = types.str;
      description = "Hostname at which this git server is accessible.";
      example = "git.fudo.org";
    };

    site-name = mkOption {
      type = types.str;
      description = "Name to use for the git server.";
      default = "Fudo Git";
    };

    database = mkOption {
      type = (types.submodule databaseOpts);
      description = "Gitea database options.";
    };

    repository-dir = mkOption {
      type = types.path;
      description = "Path at which to store repositories.";
      example = /srv/git/repo;
    };

    state-dir = mkOption {
      type = types.path;
      description = "Path at which to store server state.";
      example = /srv/git/state;
    };

    user = mkOption {
      type = with types; nullOr str;
      description = "System user as which to run.";
      default = "git";
    };
  };

  config = mkIf cfg.enable {
    security.acme.certs.${cfg.hostname}.email = config.fudo.common.admin-email;

    services = {
      gitea = {
        enable = true;
        appName = cfg.site-name;
        database = {
          createDatabase = true;
          host = cfg.database.hostname;
          name = cfg.database.name;
          user = cfg.database.user;
          passwordFile = cfg.database.password-file;
        };
        domain = cfg.hostname;
        httpAddress = "127.0.0.1";
        httpPort = 3543;
        repositoryRoot = toString cfg.repository-dir;
        stateDir = toString cfg.state-dir;
        rootUrl = "https://${cfg.hostname}/";
        user = mkIf (cfg.user != null) cfg.user;
      };

      nginx = {
        enable = true;

        virtualHosts = {
          "${cfg.hostname}" = {
            enableACME = true;
            forceSSL = true;

            locations."/" = {
              proxyPass = "http://127.0.0.1:3543";

              extraConfig = ''
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-By $server_addr:$server_port;
              proxy_set_header X-Forwarded-For $remote_addr;
              proxy_set_header X-Forwarded-Proto $scheme;
            '';
            };
          };
        };
      };
    };
  };
}