{ config, pkgs, lib, ... }:

with lib;

let
  # Container config
  name = "gitea";
  # Version tagging
  giteaVersion = "1.25.4-rootless";
  databaseVersion = "18-alpine";
  # Storage optimization
  spindown = config.numbus-server.hardware.HddSpindown;
  optimizedDir = if spindown.enable && (spindown.optimize == "compatible" || (isList spindown.optimize && elem name spindown.optimize))
    then cfg.configDir
    else cfg.dataDir;
  # Helper
  helper = import ../service-helper.nix { inherit config pkgs lib; };
  cfg = config.numbus-server.services.gitea;
in

helper.mkPodmanService {
  inherit name;
  pod = "false";
  description = "Gitea, your own self-hosted git platform";
  defaultPort = "3000";
  dataDirEnabled = optimizedDir == cfg.dataDir;
  middlewares = [
    "secureHeaders"
  ];
  dirPermissions = [
    "100999:100 ${cfg.configDir}"
    "100999:100 ${optimizedDir}/data"
    "100999:100 ${cfg.configDir}/config"
    "100999:100 ${cfg.configDir}/database"
  ];
  secrets = [
    "gitea/db_name"
    "gitea/db_username"
    "gitea/db_password"
  ];

  composeText = ''
    services:
      gitea-database:
        image: docker.io/library/postgres:${databaseVersion}
        container_name: gitea-database
        hostname: gitea-database
        user: '1000:1000'
        networks:
          gitea:
            ipv4_address: 10.89.240.253
        volumes:
          - ${cfg.configDir}/database:/var/lib/postgresql
        environment:
          - POSTGRES_DB=${config.sops.placeholder."gitea/db_name"}
          - POSTGRES_USER=${config.sops.placeholder."gitea/db_username"}
          - POSTGRES_PASSWORD=${config.sops.placeholder."gitea/db_password"}
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped

      gitea-server:
        image: docker.gitea.com/gitea:${giteaVersion}
        container_name: gitea-server
        hostname: gitea-server
        user: '1000:1000'
        networks:
          gitea:
            ipv4_address: 10.89.240.252
        ports:
          - "${cfg.port}:3000/tcp"
        volumes:
          - ${optimizedDir}/data:/var/lib/gitea
          - ${cfg.configDir}/config:/etc/gitea
          - /etc/localtime:/etc/localtime:ro
        environment:
          - GITEA__database__DB_TYPE=postgres
          - GITEA__database__HOST=gitea-database:5432
          - GITEA__database__NAME=${config.sops.placeholder."gitea/db_name"}
          - GITEA__database__USER=${config.sops.placeholder."gitea/db_username"}
          - GITEA__database__PASSWD=${config.sops.placeholder."gitea/db_password"}
          - GITEA__server__SSH_PORT=2424
          - GITEA__server__ROOT_URL=https://${cfg.subdomain}.${config.numbus-server.services.domain}
        depends_on:
          - gitea-database
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped

    networks:
      gitea:
        driver: bridge
        name: gitea
        ipam:
          config:
            - subnet: "10.89.240.0/24"
              gateway: "10.89.240.254"
  '';
}