{ lib, config, ... }:
let
  cfg = config.services.forgejo;
  srv = cfg.settings.server;
in
{
  services.openssh = {
    ports = [
      22
      2222
    ];
    settings.AcceptEnv = "GIT_PROTOCOL";
  };

  # Fixing mailing issues
  systemd.services.forgejo.serviceConfig = {
    RestrictAddressFamilies = [
      "AF_LOCAL"
      "AF_NETLINK"
    ];
    ReadWritePaths = [ "/var/spool/mail/" "/var/lib/postfix/queue/maildrop/" ];
    NoNewPrivileges = lib.mkForce false;
    PrivateUsers = lib.mkForce false;
    SystemCallFilter = lib.mkForce [];
  };

  services.forgejo = {
    enable = true;

    # I don't understand why the fuck the user needs to be the same as the db's
    # user = "biggoron";
    # group = "biggoron";
    database = {
      type = "postgres";
      user = "forgejo";
      name = "forgejo";
      passwordFile = config.age.secrets.biggoron-db-pass.path;
    };

    # Enable support for Git Large File Storage
    lfs.enable = true;

    settings = {
      server = {
        DOMAIN = "git.lyes.eu";
        # You need to specify this to remove the port from URLs in the web UI.
        ROOT_URL = "https://${srv.DOMAIN}/"; 
        HTTP_PORT = 44303;
        SSH_PORT = 2222;
      };

      # You can temporarily allow registration to create an admin user.
      service.DISABLE_REGISTRATION = true; 

      # Add support for actions, based on act: https://github.com/nektos/act
      actions = {
        ENABLED = true;
        DEFAULT_ACTIONS_URL = "github";
      };

      # Sending emails is completely optional
      # You can send a test email from the web UI at:
      # Profile Picture > Site Administration > Configuration >  Mailer Configuration 
      mailer = {
        ENABLED = true;
        PROTOCOL = "sendmail";
        FROM = "root-biggoron@lyes.eu";
        SENDMAIL_PATH = "${config.security.wrapperDir}/sendmail";
      };

      # oauth2_client = {
      #   REGISTER_EMAIL_CONFIRM = true;
      #   USERNAME = ;
      # };
    };

    # secrets = {
    #   # mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path;
    # };
  };

  systemd.services.forgejo.preStart = let 
    adminCmd = "${lib.getExe cfg.package} admin user";
    pwd = config.age.secrets.biggoron-admin-pass;
    user = "biggoron-admin";
  in ''
    ${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
    ## uncomment this line to change an admin user which was already created
    # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
  '';

  age.secrets.biggoron-db-pass = {
    file = ../../../secrets/zora/services/biggoron-db-pass.age;
    mode = "400";
    owner = "forgejo";
    group = "forgejo";
  };

  age.secrets.biggoron-admin-pass = {
    file = ../../../secrets/zora/services/biggoron-admin-pass.age;
    owner = "forgejo";
    group = "forgejo";
  };
}