{ config, lib, ... }:
let
  cfg = config.aether.forgejo;
  forgejo = config.services.forgejo;
  srv = forgejo.settings.server;

  useSubdomain = !(builtins.isNull cfg.subdomain);
in {
  imports = [ ./options.nix ];

  # Web server

  services.nginx.enable = true;
  services.nginx.virtualHosts.${srv.DOMAIN} = {
    forceSSL = config.aether.https;
    enableACME = config.aether.https;
    extraConfig = ''
      client_max_body_size 512M;
    '';
    locations."/".proxyPass = "http://localhost:${builtins.toString srv.HTTP_PORT}";
  };

  security.acme.acceptTerms = config.aether.https;
  security.acme.defaults.email = cfg.acmeEmail;

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  # Forgejo

  services.forgejo = {
    enable = true;
    user = cfg.user;
    group = forgejo.user;
    database.user = forgejo.user;

    settings.server = {
      DOMAIN = lib.optionalString useSubdomain "${cfg.subdomain}."
               + config.aether.domain;
      ROOT_URL = "https://${srv.DOMAIN}/";
    };
  };

  systemd.tmpfiles.rules =
    lib.optional useSubdomain
      "L+ ${forgejo.stateDir}/custom/templates - - - - ${cfg.templates}";
}
// lib.mkIf cfg.createUser {
  users.users.${forgejo.user} = {
    home = forgejo.stateDir;
    useDefaultShell = true;
    group = forgejo.group;
    isSystemUser = true;
  };
  users.groups.${forgejo.group} = {};
}