{ config, pkgs, ... }:

let
  gitblitWar = pkgs.fetchurl {
    url = "http://dl.bintray.com/gitblit/releases/gitblit-1.6.2.war";
    sha256 = "01gqarpwqbx1ix5zycfxw4172q5l8hhxvb7f92y3lz8l6x42l7i9";
  };

  gitHome = "/srv/git.gebner.org";
in
{
  containers.gitblit = {
    config = { config, pkgs, ... }: {
      users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; };
      users.extraGroups.git = { };

      systemd.services.createGitDir = {
        wantedBy = [ "winstone-gitblit.service" ];
        serviceConfig.Type = "oneshot";
        script = ''
          mkdir -p ${gitHome}
          chown git:git -R ${gitHome}
        '';
      };

      services.winstone.gitblit = {
        user = "git";
        group = "git";
        warFile = "${gitblitWar}";
        extraJavaOptions = [ "-DGITBLIT_HOME=${gitHome}" ];
      };
    };

    privateNetwork = true;
    hostAddress = "192.168.100.10";
    localAddress = "192.168.101.10";
  };

  services.nginx.appendConfig = ''
  http {
    server {
      listen [::]:80;
      listen 80;
      server_name git.gebner.org;

      rewrite ^(.*) https://$host$1 permanent;
    }

    server {
      listen [::]:443;
      listen 443;
      server_name git.gebner.org;

      ssl on;
      ssl_certificate_key /etc/sslcerts/mastus.key;
      ssl_certificate /etc/sslcerts/git.cert;

      location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_buffering off;
        proxy_pass http://gitblit;
        client_max_body_size 30M;
        break;
      }
    }

    upstream gitblit {
      server 192.168.100.10:8080;
    }
  }
  '';
}