{ lib, config, ... }:
let
  enable = config.mod.gitea.enable;
  domain = config.mod.gitea.domain;

  nginxEnable = config.mod.nginx.enable;
in
{
  options = {
    mod.gitea = {
      enable = lib.mkEnableOption "Enable gitea";

      domain = lib.mkOption {
        type = lib.types.str;
        default = "";
        description = "The domain that nginx will use as a virtual host";
      };
    };
  };

  config = lib.mkIf (enable && nginxEnable) {
    services.gitea = {
      enable = true;

      settings = {
        service = {
          DISABLE_REGISTRATION = true;
        };

        server = {
          DOMAIN = domain;
          ROOT_URL = "https://${domain}";

          SSH_PORT = 1122; # See `ssh` module
        };

        database = {
          type = "sqlite3";
          passwordFile = config.age.secrets.gitea-dbpassword.path;
        };

        session = {
          COOKIE_SECURE = true;
        };
      };
    };

    services.nginx = {
      virtualHosts."${domain}" = {
        forceSSL = true;
        useACMEHost = domain;

        locations."/" = {
          proxyPass = "http://0.0.0:3000";
          proxyWebsockets = true;
        };
      };
    };

    age.secrets = {
      "gitea-dbpassword".file = ../../../../secrets/tadpole/gitea-dbpassword.age;
    };
  };
}