{ config, pkgs, ... }:

{
  nixpkgs.overlays = [
    (self: super: {
      # Always add '@cebula.camp' to LDAP email attribute, so that we can set
      # the attribute to 'cn'. We don't have any other way to get an
      # @cebula.camp email address.
      forgejo-lts = super.forgejo-lts.overrideAttrs (oa: {
        patches = oa.patches ++ [
          ./forgejo/0001-bad-bad-not-good-patch-it-s-3-am-and-i-am-tired.patch
        ];
        doCheck = false;
      });
    })
  ];
  services.forgejo = {
    enable = true;
    lfs.enable = true;
    settings = {
      service = {
        DISABLE_REGISTRATION = false;
        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
        ENABLE_NOTIFY_MAIL = false;
      };
      server = {
        ROOT_URL = "https://git.orga.cebula.camp";
        HTTP_PORT = 3001;
        DOMAIN = "git.orga.cebula.camp";
        START_SSH_SERVER = true;
        SSH_PORT = 22;
        SSH_LISTEN_PORT = 2223;
        BUILTIN_SSH_SERVER_USER = "git";
      };
      oauth2_client = {
        REGISTER_EMAIL_CONFIRM = false;
        ENABLE_AUTO_REGISTRATION = true;
        USERNAME = "nickname";
        ACCOUNT_LINKING = "auto";
      };
      DEFAULT = {
        APP_ANME = "CebulaGit";
      };
    };
  };

  #systemd.services.forgejo-secrets.script = ''
  #  ${pkgs.forgejo}/bin/gitea admin user create --username bofh --password dupa.8 --email q3k@q3k.org --admin --must-change-password=false
  #'';

  services.nginx.virtualHosts."git.orga.cebula.camp" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://localhost:3001";
    };
  };

  # redirect external port 22 to internal 2223
  networking.firewall.allowedTCPPorts = [ 22 2223 ];
  networking.firewall.extraCommands = ''
    iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2223
  '';
  networking.firewall.extraStopCommands = ''
    iptables -t nat -F PREROUTING
  '';
}