{ config, ... }:
let 
  inherit (import ./lib.nix config) mkContainer blazestar;
in
{
  sops.secrets = {
    "gitea/db_password" = {
      restartUnits = [ "podman-gitea.service" ];
    };
    "gitea/registration_token" = {
      restartUnits = [ "podman-gitea-runner.service" ];
    };
  };

  sops.templates."gitea.env".content = ''
    GITEA__database__DB_TYPE="postgres"
    GITEA__database__HOST="db"
    GITEA__database__NAME="gitea"
    GITEA__database__USER="gitea"
    GITEA__database__PASSWD="${config.sops.placeholder."gitea/db_password"}"
  '';

  virtualisation.oci-containers.containers.gitea = mkContainer {
    image = "gitea/gitea:latest-rootless";
    dependsOn = [
      "db"
    ];
    hostName = "git";
    domain = blazestar;
    public = true;
    port = 3000;
    homepageOpts = {
      name = "Gitea";
      icon = "gitea.png";
      description = "Git Server";
      group = "Apps";
    };
    ports = [
      "2222:2222"
    ];
    volumes = [
      "/tank/git:/var/lib/gitea"
      "/tank/config/gitea:/etc/gitea"
    ];
    user = toString config.users.users.gitea.uid;
    environment = {
      USER_UID = toString config.users.users.gitea.uid;
      USER_GID = toString config.users.groups.git.gid;
    };
    environmentFiles = [
      config.sops.templates."gitea.env".path
    ];
  };

  sops.templates."gitea-runner.env".content = ''
    GITEA_RUNNER_NAME=MCP
    GITEA_INSTANCE_URL=https://git.${blazestar}
    GITEA_RUNNER_REGISTRATION_TOKEN=${config.sops.placeholder."gitea/registration_token"}
  '';

  virtualisation.oci-containers.containers.gitea-runner = {
    image = "gitea/act_runner:latest";
    autoStart = true;
    environmentFiles = [
      config.sops.templates."gitea-runner.env".path
    ];
    volumes = [
      # The runner will spawn new containers to run the actions
      "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
    ];
  };
}