{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:

{
  containers.gitea = {
    privateNetwork = true;
    hostAddress = "192.168.100.1";
    localAddress = "192.168.100.10";
    autoStart = true;
    bindMounts = {
      "/persist" = {
        hostPath = "/persist/containers/gitea";
        isReadOnly = false;
      };
    };
    path = (evalConfig {
      hosts = { };
      groups = { };
    } ({ config, lib, pkgs, profiles, modules, sources, ... }: {
      boot.isContainer = true;
      networking.useDHCP = false;
      users.users.root.hashedPassword = "";
      system.stateVersion = "21.11";

      imports = [ sources.nix-hexchen.nixosModules.profiles.nopersist ];

      environment.systemPackages = [ pkgs.gitea ];

      hexchen.bindmounts."/var/lib/gitea" = "/persist/gitea";

      nixpkgs.config.allowUnfree = true;
      networking.firewall.enable = false;
      networking.defaultGateway = {
        address = "192.168.100.1";
        interface = "eth0";
      };
      services.coredns = {
        enable = true;
        config = ''
          .:53 {
            forward . 1.1.1.1
          }
        '';
      };
      services.gitea = {
        enable = true;
        appName = "0x0: git for all creatures";
        rootUrl = "https://git.infra4future.de/";
        httpAddress = "0.0.0.0";
        httpPort = 3000;
        lfs.enable = true;
        disableRegistration = true;
        database.type = "postgres";
        cookieSecure = true;
        log.level = "Info";
        #  mailerPasswordFile =
        #    "/var/lib/secrets/noreply"; # see below for access permissions
        settings = {
          #    mailer = {
          #      ENABLED = true;
          #      HOST = "0x0.rip:465";
          #      FROM = "noreply@0x0.rip";
          #      ENVELOPE_FROM = "noreply@0x0.rip";
          #      USER = "noreply@0x0.rip";

          #    };
          repository = {
            DEFAULT_PRIVATE = "public";
            PREFERRED_LICENSES = "Unlicense";
            DEFAULT_BRANCH = "main";
          };
          oauth2_client = {
            ACCOUNT_LINKING = "auto";
            ENABLE_AUTO_REGISTRATION = true;
          };
          "repository.pull-requests" = {
            DEFAULT_MERGE_STYLE = "merge";
            DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true;
          };
          "repository.upload".FILE_MAX_SIZE = 1024;
          server = {
            LANDING_PAGE = "explore";
            OFFLINE_MODE = true;
          };
          security = { INSTALL_LOCK = true; };
          other = {
            SHOW_FOOTER_VERSION = false;
            SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
          };
          cron = {
            ENABLED = true;
            NOTICE_ON_SUCCESS = true;
          };
          "cron.update_mirrors" = {
            SCHEDULE = "@every 12h";
            PULL_LIMIT = "-1";
            PUSH_LIMIT = "-1";
          };
          "cron.git_gc_repos".ENABLED = true;
          "cron.delete_old_actions".ENABLED = true;
        };
      };
      services.postgresqlBackup = {
        enable = true;
        databases = [ "gitea" ];
        startAt = "*-*-* 23:45:00";
        location = "/persist/backups/postgres";
      };
      services.openssh = {
        enable = true;
        passwordAuthentication = false;
        listenAddresses = [ {
          addr = "192.168.100.10";
          port = 22;
        } ];
        extraConfig = ''
          AcceptEnv GIT_PROTOCOL
        '';
      };
    })).config.system.build.toplevel;
  };

  services.nginx.virtualHosts."git.infra4future.de" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://${config.containers.gitea.localAddress}:3000";
    };
  };
  hexchen.nftables.nat.forwardPorts = [{
    ports = [ 22 ];
    destination = "${config.containers.gitea.localAddress}:22";
    proto = "tcp";
  }];
}