{ config, pkgs, lib, ... }:

{
  services.forgejo = {
    enable = true;
    stateDir = "/media/apps/git";
    repositoryRoot = "${config.services.forgejo.stateDir}/repos";
    database.createDatabase = true;
    
    settings = {
      session.COOKIE_SECURE = true;
      server = {
        DOMAIN = "git.${config.homelab.domain}";
        ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}";
        SSH_PORT = 22;
#        PROTOCOL = "https";
        HTTP_PORT = 3000;
      };

      service = {
        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
        SHOW_REGISTRATION_BUTTON = false;
        ENABLE_PASSWORD_SIGNIN_FORM = false;
      };
    };
  };

  # forgejo has user keys under its own .ssh/authorizedKeys file.
  # nix blocks me from using users.users.<name>.openssh.authorizedKeys.keyFiles
  # in order to only allow that to the forgejo user as it has "/var"
  services.openssh.authorizedKeysInHomedir = lib.mkForce true;

  services.caddy.virtualHosts."git.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
      import block_non_private_ips
    '';
  };
}