{ config, my, pkgs, ... }:

let
  secretsPath = "/var/secrets/sourcehut";
  acmeHost = "c8h4.io";
  fqdn = "srht.${acmeHost}";
in {
  services.sourcehut = {
    enable = true;
    redis.enable = true;
    postgresql.enable = true;
    meta = {
      enable = true;
      gunicorn.extraArgs =
        [ "--bind [::1]:${toString config.services.sourcehut.meta.port}" ];
    };
    git = {
      enable = true;
      user = "git";
      gunicorn.extraArgs =
        [ "--bind [::1]:${toString config.services.sourcehut.git.port}" ];
    };

    nginx = {
      enable = true;
      virtualHost.useACMEHost = acmeHost;
    };

    settings = {
      "sr.ht" = {
        environment = "production";
        global-domain = fqdn;
        owner-name = "Christoph Heiss";
        owner-email = "christoph@c8h4.io";
        network-key = "${secretsPath}/network-key";
        service-key = "${secretsPath}/service-key";
      };

      "meta.sr.ht".origin = "https://meta.${fqdn}";

      "meta.sr.ht::settings" = {
        user-invites = 0;
        registration = false;
      };

      "git.sr.ht" = {
        oauth-client-id = fqdn;
        oauth-client-secret = "${secretsPath}/oauth-client-secret";
        outgoing-domain = "https://git.${fqdn}";
        origin = "https://git.${fqdn}";
      };

      mail = {
        smtp-from = "srht@c8h4.io";
        pgp-key-id = "6C28803321A0F6C53B78A2AF3D84AB70408524DD";
        pgp-pubkey = "${secretsPath}/pgp-pubkey";
        pgp-privkey = "${secretsPath}/pgp-privkey";
      };

      webhooks.private-key = "${secretsPath}/webhooks-private-key";
    };
  };

  security.acme.certs."c8h4.io".extraDomainNames = [ "*.${fqdn}" ];

  # Binds the sourcehut secrets path read-only into services that require them
  systemd.services = let
    services = [
      "metasrht"
      "metasrht-api"
      "metasrht-daily"
      "metasrht-webhooks"
      "gitsrht"
      "gitsrht-api"
      "gitsrht-periodic"
      "gitsrht-webhooks"
    ];
  in builtins.listToAttrs (map (name: {
    inherit name;
    value.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
  }) services);

  services.openssh.settings.AllowUsers = [ "git" ];

  users.users = {
    git = {
      # Disable login for `git` user
      password = "*";
      extraGroups = [ "restic-backup" ];
    };
  };

  services.restic.backups.gitsrht = let resticCfg = my.homelab.services.restic;
  in {
    inherit (resticCfg) environmentFile;
    initialize = true;
    repository = "${resticCfg.repositoryBase}/${config.networking.hostName}";
    passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}";
    user = "git";
    paths = [ "/var/lib/sourcehut/gitsrht" ];
    timerConfig.OnCalendar = "*-*-* 4:15:00"; # daily at 04:15
    backupCleanupCommand = my.mkResticBackupNotificationCmd {
      name = "gitsrht";
      inherit pkgs;
      inherit (my.notifications.backup-bot) environmentFile;
    };
  };
}