{ config, lib, ... }:
let
  cfg = import ./vars.nix;
  service = "forgejo";
  dbport = cfg."${service}".dbport;
  domain = cfg."${service}".domain;
  port = cfg."${service}".port;
  sshport = cfg."${service}".sshport;
in

{

  imports = [
    ./podman-postgresql.nix # for the database
    ./nginx.nix             # for the webserver
  ];

  sops.secrets."gitea/db" = {};

  services.podman-postgresql."${service}" = {
    enable = true;
    image = "docker.io/library/postgres:17-alpine";
    port = (lib.strings.toInt dbport);
    passwordFile = config.sops.secrets."gitea/db".path;
  };

  virtualisation.oci-containers.containers."${service}" = {
    image = "codeberg.org/forgejo/forgejo:10";
    environment = {
      TZ = "Europe/Berlin";
    };
    ports = [
      "${port}:3000"
      "${sshport}:22"
    ];
    volumes = [
      "/var/lib/${service}:/data"
    ];
    extraOptions = cfg.podman.extraOptions;
  };

  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/" = {
        proxyPass = "http://localhost:${port}";
        extraConfig = ''
          proxy_set_header Connection $http_connection;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          client_max_body_size 512M;
        '';
      };

    };
    extraConfig = ''
      access_log  /var/log/nginx/${domain}_access.log;
      error_log   /var/log/nginx/${domain}_error.log;
    '';

  };

}
# vim: set et ts=2 sw=2 ai: