{ config, pkgs, lib, ... }:
let
  cfg = config.services.gitea;
  domain = "git.feal.no";
  httpPort = 3004;
  sshPort = 2222;
in {
    services.gitea = {
      enable = true;
      appName = "felixalbs Gitea";
      database.type = "postgres";
      stateDir = "/tank/services/gitea";

      settings = {
        server = {
          # Serve on local unix socket, exposed in hosts/defiant/services/nginx.nix
          PROTOCOL = "http+unix";
          DOMAIN = domain;
          ROOT_URL = "https://${domain}";
          LANDING_PAGE=''"/felixalb"'';

          SSH_PORT = sshPort;
          SSH_LISTEN_PORT = sshPort;
          START_SSH_SERVER = true;
          BUILTIN_SSH_SERVER_USER = "git";
        };

        service.DISABLE_REGISTRATION = true;
        session.COOKIE_SECURE = true;

        packages.ENABLED = false;
        packages.CHUNKED_UPLOAD_PATH = "${cfg.stateDir}/tmp/package-upload";

        oauth2_client = {
          ENABLE_AUTO_REGISTRATION = true;
          OPENID_CONNECT_SCOPES = "email profile openid";
          UPDATE_AVATAR = true;
          ACCOUNT_LINKING = "auto";
          USERNAME = "email";
        };

        log.LEVEL = "Info";

        database.LOG_SQL = false;

        ui = {
          THEMES="gitea,arc-green,nord";
          DEFAULT_THEME="nord";
        };
      };

      # TODO:
      # - Backup
      #   - services.gitea.dump?
      #   - ZFS snapshots?
      # - configure mailer
    };

    systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "${cfg.stateDir}/work";

    services.postgresqlBackup.databases = [ "gitea" ];

    networking.firewall.allowedTCPPorts = [ sshPort ];
}