{ config, ... }:
let 
  inherit (import ./lib.nix config) hostRule blazestar;
in
{
  virtualisation.oci-containers.containers.gitea = {
    image = "gitea/gitea:latest-rootless";
    autoStart = true;
    dependsOn = [
      "db"
    ];
    extraOptions = [
      "-l=traefik.enable=true"
      "-l=traefik.http.routers.gitea.rule=${hostRule "git" blazestar}"
      "-l=traefik.http.services.gitea.loadbalancer.server.port=3000"
      "-l=homepage.group=Apps"
      "-l=homepage.name=Gitea"
      "-l=homepage.icon=gitea.png"
      "-l=homepage.href=https://git.${blazestar}"
      "-l=homepage.description=Git Server"
    ];
    ports = [
      "2222:2222"
    ];
    volumes = [
      "/tank/git:/var/lib/gitea"
      "/tank/config/gitea:/etc/gitea"
    ];
    user = toString config.users.users.gitea.uid;
    environment = {
      USER_UID = toString config.users.users.gitea.uid;
      USER_GID = toString config.users.groups.git.gid;
    };
    environmentFiles = [
      config.sops.templates."gitea.env".path
    ];
  };

  sops.secrets."gitea_db_password" = {
    restartUnits = [ "podman-gitea.service" ];
  };
  sops.templates."gitea.env".content = ''
    GITEA__database__DB_TYPE="postgres"
    GITEA__database__HOST="db"
    GITEA__database__NAME="gitea"
    GITEA__database__USER="gitea"
    GITEA__database__PASSWD="${config.sops.placeholder."gitea_db_password"}"
  '';
}