{ config, pkgs, lib, ... }:

{
  services.forgejo = {
    enable = true;
    stateDir = "/var/lib/forgejo";
    repositoryRoot = "${config.services.forgejo.stateDir}/repositories";
    database.createDatabase = true;
    
    settings = {
      session.COOKIE_SECURE = true;
      server = {
        DOMAIN = "git.${config.homelab.domain}";
        ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}";
        SSH_PORT = 22;
#        PROTOCOL = "https";
        HTTP_PORT = 3000;
      };

      security.REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128";

      service = {
        DISABLE_REGISTRATION = true;
        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
        SHOW_REGISTRATION_BUTTON = false;
        ENABLE_PASSWORD_SIGNIN_FORM = false;
      };
    };
  };

  # configure anubis to prevent AI scrapers from overloading the git server.
  services.anubis.instances.forgejo = {
    enable = true;
    settings = {
      TARGET = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}";
      SERVE_ROBOTS_TXT = true;
      BIND_NETWORK = "tcp";
      BIND = ":3333";
    };
  };

  # forgejo has user keys under its own .ssh/authorizedKeys file.
  # nix blocks me from using users.users.<name>.openssh.authorizedKeys.keyFiles
  # in order to only allow that to the forgejo user as it has "/var"
  services.openssh.authorizedKeysInHomedir = lib.mkForce true;

  services.caddy.virtualHosts."git.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://127.0.0.1${toString config.services.anubis.instances.forgejo.settings.BIND} {
        header_up X-Real-Ip {remote_host}
        header_up X-Http-Version {http.request.proto}
      }
    '';
  };
}