{ config, pkgs, ... }:
let
  gitHome = "/srv/git.gebner.org";

  gogs = pkgs.callPackage ../pkgs/gogs.nix { };

  gogsPort = 8001;
  gogsConfig = pkgs.writeText "gogs.ini" ''
APP_NAME = Gogs: Go Git Service
RUN_USER = git
RUN_MODE = prod

[database]
DB_TYPE = sqlite3
HOST = 127.0.0.1:3306
NAME = gogs
USER = root
PASSWD = 
SSL_MODE = disable
PATH = ${gitHome}/data/gogs.db

[repository]
ROOT = ${gitHome}/gogs-repositories

[server]
DOMAIN = git.gebner.org
HTTP_PORT = ${toString gogsPort}
ROOT_URL = https://git.gebner.org/
DISABLE_SSH = false
SSH_PORT = 22
OFFLINE_MODE = true

[mailer]
ENABLED = false

[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = false

[picture]
DISABLE_GRAVATAR = false
AVATAR_UPLOAD_PATH = ${gitHome}/data/avatars

[session]
PROVIDER = file

[log]
ROOT_PATH = ${gitHome}/logs
MODE = file
LEVEL = Info

[security]
INSTALL_LOCK = true
'';
in
{
  users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; };
  users.extraGroups.git = { };

  systemd.services.gogs = {
    path = with pkgs; [ git openssh bash ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "simple";
      Restart = "always";
      User = "git";
      Group = "git";
      ExecStart = "${gogs}/gogs web -c ${gogsConfig}";
      WorkingDirectory = gitHome;
    };
  };

  services.nginx.httpConfig = ''
    server {
      listen [::]:80;
      listen 80;
      server_name git.gebner.org;

      location /.well-known/acme-challenge {
        default_type text/plain;
        alias /var/lib/acme/www/.well-known/acme-challenge;
      }

      location / {
        rewrite ^(.*) https://$host$1 permanent;
      }
    }

    server {
      listen [::]:443;
      listen 443;
      server_name git.gebner.org;

      ssl on;
      ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
      ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
      ssl_dhparam /etc/nginx/dhparam.pem;
      ssl_protocols TLSv1.1 TLSv1.2;
      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
      ssl_prefer_server_ciphers on;
      add_header Strict-Transport-Security max-age=15768000;
      ssl_stapling on;
      ssl_stapling_verify on;

      location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_buffering off;
        proxy_pass http://gogs;
        client_max_body_size 30M;
        break;
      }
    }

    upstream gogs {
      server 127.0.0.1:${toString gogsPort};
    }
  '';
}