{ cluster, config, depot, lib, pkgs, ... }:

let
  inherit (depot.lib.meta) domain;
  inherit (cluster.config.services.forge) secrets;

  patroni = cluster.config.links.patroni-pg-access;

  host = "forge.${domain}";

  link = cluster.config.hostLinks.${config.networking.hostName}.forge;

  exe = lib.getExe config.services.forgejo.package;
in

{
  system.ascensions.forgejo = {
    requiredBy = [ "forgejo.service" ];
    before = [ "forgejo.service" ];
    incantations = i: [
      (i.execShell "chown -R forgejo:forgejo /srv/storage/private/forge")
      (i.execShell "rm -rf /srv/storage/private/forge/data/{attachments,lfs,avatars,repo-avatars,repo-archive,packages,actions_log,actions_artifacts}")
    ];
  };

  services.locksmith.waitForSecrets.forgejo = [
    "garage-forgejo-id"
    "garage-forgejo-secret"
  ];

  services.forgejo = {
    enable = true;
    package = depot.packages.forgejo;
    stateDir = "/srv/storage/private/forge";
    database = {
      createDatabase = false;
      type = "postgres";
      host = patroni.ipv4;
      inherit (patroni) port;
      name = "forge";
      user = "forge";
      passwordFile = secrets.dbCredentials.path;
    };
    settings = {
      DEFAULT = {
        APP_NAME = "The Forge";
      };
      server = {
        DOMAIN = host;
        ROOT_URL = "https://${host}/";
        PROTOCOL = link.protocol;
        HTTP_ADDR = link.ipv4;
        HTTP_PORT = link.port;
        SSH_DOMAIN = "ssh.${host}";
      };
      oauth2_client = {
        REGISTER_EMAIL_CONFIRM = false;
        ENABLE_AUTO_REGISTRATION = true;
        ACCOUNT_LINKING = "auto";
        UPDATE_AVATAR = true;
      };
      session.COOKIE_SECURE = true;
      service = {
        DISABLE_REGISTRATION = false;
        ALLOW_ONLY_INTERNAL_REGISTRATION = false;
        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
      };
      storage = {
        STORAGE_TYPE = "minio";
        MINIO_ENDPOINT = cluster.config.links.garageS3.hostname;
        MINIO_BUCKET = "forgejo";
        MINIO_USE_SSL = true;
        MINIO_BUCKET_LOOKUP = "path";
      };
      log."logger.xorm.MODE" = "";
      # enabling this will leak secrets to the log
      database.LOG_SQL = false;
    };
    secrets = {
      storage = {
        MINIO_ACCESS_KEY_ID = "/run/locksmith/garage-forgejo-id";
        MINIO_SECRET_ACCESS_KEY = "/run/locksmith/garage-forgejo-secret";
      };
    };
  };

  systemd.services.forgejo.preStart = let
    providerName = "PrivateVoidAccount";
    args = lib.escapeShellArgs [
      "--name" providerName
      "--provider" "openidConnect"
      "--key" "net.privatevoid.forge1"
      "--auto-discover-url" "https://login.${domain}/auth/realms/master/.well-known/openid-configuration"
      "--group-claim-name" "groups"
      "--admin-group" "/forge_admins@${domain}"
    ];
  in lib.mkAfter /*bash*/ ''
    providerId="$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)"
    if [[ -z "$providerId" ]]; then
      FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.oidcSecret.path})" ${exe} admin auth add-oauth ${args}
    else
      FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.oidcSecret.path})" ${exe} admin auth update-oauth --id "$providerId" ${args}
    fi
  '';
}