{ config, lib, ... }:
let
  sp = config.selfprivacy;
  stateDir =
    if sp.useBinds
    then "/volumes/${cfg.location}/gitea"
    else "/var/lib/gitea";
  cfg = sp.modules.gitea;
in
{
  options.selfprivacy.modules.gitea = {
    enable = lib.mkOption {
      default = false;
      type = lib.types.bool;
    };
    location = lib.mkOption {
      type = lib.types.str;
    };
    subdomain = lib.mkOption {
      default = "git";
      type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
    };
  };

  config = lib.mkIf cfg.enable {
    fileSystems = lib.mkIf sp.useBinds {
      "/var/lib/gitea" = {
        device = "/volumes/${cfg.location}/gitea";
        options = [ "bind" ];
      };
    };
    services.gitea = {
      enable = true;
      inherit stateDir;
      #      log = {
      #        rootPath = "/var/lib/gitea/log";
      #        level = "Warn";
      #      };
      user = "gitea";
      database = {
        type = "sqlite3";
        host = "127.0.0.1";
        name = "gitea";
        user = "gitea";
        path = "${stateDir}/data/gitea.db";
        createDatabase = true;
      };
      # ssh = {
      #   enable = true;
      #   clonePort = 22;
      # };
      lfs = {
        enable = true;
        contentDir = "${stateDir}/lfs";
      };
      appName = "SelfPrivacy git Service";
      repositoryRoot = "${stateDir}/repositories";
      #      cookieSecure = true;
      settings = {
        server = {
          DOMAIN = "${cfg.subdomain}.${sp.domain}";
          ROOT_URL = "https://${cfg.subdomain}.${sp.domain}/";
          HTTP_ADDR = "0.0.0.0";
          HTTP_PORT = 3000;
        };
        mailer = {
          ENABLED = false;
        };
        ui = {
          DEFAULT_THEME = "arc-green";
          SHOW_USER_EMAIL = false;
        };
        picture = {
          DISABLE_GRAVATAR = true;
        };
        admin = {
          ENABLE_KANBAN_BOARD = true;
        };
        repository = {
          FORCE_PRIVATE = false;
        };
        session = {
          COOKIE_SECURE = true;
        };
        log = {
          ROOT_PATH = "${stateDir}/log";
          LEVEL = "Warn";
        };
      };
    };
    services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
      useACMEHost = sp.domain;
      forceSSL = true;
      extraConfig = ''
        add_header Strict-Transport-Security $hsts_header;
        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
        expires 10m;
      '';
      locations = {
        "/" = {
          proxyPass = "http://127.0.0.1:3000";
        };
      };
    };
    systemd.services.gitea.unitConfig.RequiresMountsFor =
      lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea";
  };
}