{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:

{
  containers.gitlab = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.100.1";
    localAddress = "192.168.100.7";

    bindMounts = {
      "/persist" = {
        hostPath = "/persist/containers/gitlab";
        isReadOnly = false;
      };
    };

    path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
      boot.isContainer = true;
      networking.useDHCP = false;
      users.users.root.hashedPassword = "";

      imports = [
        ../modules/mattermost.nix
        ((import sources.nix-hexchen) {}).profiles.nopersist
      ];

      nixpkgs.config.allowUnfree = true;
      networking.firewall.enable = false;
      networking.defaultGateway = {
        address = "192.168.100.1";
        interface = "eth0";
      };

      services.gitlab = {
        enable = true;

        databaseCreateLocally = true;

        host = "gitlab.infra4future.de";
        https = true;
        port = 443;

        statePath = "/persist/gitlab";
        user = "git";
        databaseUsername = "git";

        initialRootPasswordFile = "/persist/secrets/gitlab-root";
        secrets.secretFile = "/persist/secrets/gitlab-secret";
        secrets.dbFile = "/persist/secrets/gitlab-db";
        secrets.otpFile = "/persist/secrets/gitlab-otp";
        secrets.jwsFile = "/persist/secrets/gitlab-jws";

        smtp = {
          enable = true;
          address = "mail.hacc.space";
          port = 587;
          authentication = "plain";
          domain = "gitlab.infra4future.de";
          enableStartTLSAuto = true;
          username = "noreply@infra4future.de";
          passwordFile = "/persist/secrets/noreply-pass";
        };

        pagesExtraArgs = [ "-listen-proxy" "0.0.0.0:8090" ];
        extraConfig = {
          pages = {
            enabled = true;
            host = "4future.dev";
            port = 443;
            https = true;
          };
          omniauth = {
            enabled = true;
            auto_sign_in_with_provider = "oauth2_generic";
            allow_single_sign_on = ["oauth2_generic"];
            block_auto_created_users = false;
            providers = [
              {
                name = "oauth2_generic";
                label = "infra4future Login";
                app_id = "gitlab";
                app_secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
                args = {
                  client_options = {
                    site = "https://login.infra4future.de";
                    user_info_url = "/oauth2/userinfo";
                    authorize_url = "/oauth2/authorize";
                    token_url = "/oauth2/token";
                  };
                  strategy_class ="OmniAuth::Strategies::OAuth2Generic";
                };
              }
            ];
          };
        };
      };

      services.redis.enable = true;
      services.postgresql.package = pkgs.postgresql_13;

      services.nginx = {
        enable = true;
        recommendedGzipSettings = true;
        recommendedOptimisation = true;
        recommendedTlsSettings = true;
        virtualHosts."gitlab.infra4future.de" = {
          default = true;
          locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
          locations."/".extraConfig = ''
            proxy_redirect off;
          '';
        };
      };

      services.openssh.enable = true;
      services.openssh.passwordAuthentication = false;

      users.users.git = {
        isSystemUser = true;
        group = "gitlab";
        home = "/persist/gitlab/home";
        uid = 165;
      };

      services.coredns = {
        enable = true;
        config = ''
          .:53 {
            forward . 1.1.1.1
          }
        '';
      };
    })).config.system.build.toplevel;
  };

  hexchen.nftables.nat.forwardPorts = [{
    ports = [ 22 ];
    destination = "${config.containers.gitlab.localAddress}:22";
    proto = "tcp";
  }];

  services.nginx.virtualHosts."gitlab.infra4future.de" = {
    locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80";
    locations."/".extraConfig = ''
      proxy_set_header X-Nginx-Proxy true;
      proxy_redirect off;
    '';
    enableACME = true;
    forceSSL = true;
  };

  services.nginx.virtualHosts."4future.dev" = {
    locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
    serverName = "~^((.*)\.)?4future\.dev$";
    useACMEHost = "4future.dev";
    forceSSL = true;
  };

  security.acme.certs."4future.dev" = {
    dnsProvider = "cloudflare";
    credentialsFile = "/var/lib/acme/cloudflare.pass";
    extraDomainNames = [ "*.4future.dev" ];
    group = config.services.nginx.group;
  };
}