{ config, lib, ... }:

{
  sops.secrets = {
    "forgejo/secret-key" = {
      owner = "forgejo";
      group = "forgejo";
    };
    "forgejo/internal-token" = {
      owner = "forgejo";
      group = "forgejo";
    };
  };

  users.groups.forgejo.members = [ "caddy" ];

  services.caddy.virtualHosts."git.wo2wz.fyi".extraConfig =
  assert config.services.caddy.enable;
  ''
    import default-settings
    import cloudflare-tls

    reverse_proxy unix/${config.services.forgejo.settings.server.HTTP_ADDR}
  '';

  services.forgejo = {
    enable = true;
    secrets.security = {
      SECRET_KEY = lib.mkForce config.sops.secrets."forgejo/secret-key".path;
      INTERNAL_TOKEN = lib.mkForce config.sops.secrets."forgejo/internal-token".path;
    };
    settings = {
      DEFAULT = {
        APP_NAME = "Wo2wz's Git";
        APP_SLOGAN = "Powered by NixOS";
        APP_DISPLAY_NAME_FORMAT = "{APP_NAME} - {APP_SLOGAN}";
      };

      "ui.meta" = {
        AUTHOR = "Wo2wz's forgejo";
        DESCRIPTION = ''in the forged jo, straight up "committing" it, and by "it" lets just say... my git'';
      };

      server = {
        PROTOCOL = "http+unix";
        HTTP_ADDR = "/run/forgejo/forgejo.sock";
        UNIX_SOCKET_PERMISSION = 660;

        DOMAIN = "git.wo2wz.fyi";
        ROOT_URL = "https://git.wo2wz.fyi/";

        # cant work with cf tunnel unfortunately
        DISABLE_SSH = true;
      };
      
      database.SQLITE_JOURNAL_MODE = "WAL";
      cache = {
        ADAPTER = "twoqueue";
        HOST = ''{"size":100, "recent_ratio":0.25, "ghost_ratio":0.5}'';
      };

      service = {
        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
        ENABLE_INTERNAL_SIGNIN = false;
      };

      session.COOKIE_SECURE = true;

      actions.ENABLED = false;
    };
  };
}