{ inputs, config, ... }:
let
  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
in
{
  services.caddy.virtualHosts."git.wanderingcrow.net".extraConfig = ''
    reverse_proxy http://localhost:3000
  '';

  sops.secrets = {
    "generic/smtp/server" = {
      sopsFile = "${sopsFolder}/services.yaml";
    };
    "generic/smtp/port" = {
      sopsFile = "${sopsFolder}/services.yaml";
    };
    "generic/smtp/user" = {
      sopsFile = "${sopsFolder}/services.yaml";
    };
    "generic/smtp/pass" = {
      sopsFile = "${sopsFolder}/services.yaml";
    };
  };

  services.forgejo = {
    enable = true;
    lfs.enable = true;
    database = {
      type = "sqlite3";
      createDatabase = true;
    };
    settings = {
      server = {
        DOMAIN = "git.wanderingcrow.net";
        ROOT_URL = "https://git.wanderingcrow.net";
        HTTP_PORT = 3000;
      };
      service = {
        REGISTER_EMAIL_CONFIRM = true;
        ENABLE_NOTIFY_MAIL = true;
        # I want to offload account security to OIDC provider
        REQUIRE_EXTERNAL_REGISTRATION_PASSWORD = false;
        ENABLE_INTERNAL_SIGNIN = false;
        EMAIL_DOMAIN_BLOCK_DISPOSABLE = true;
        ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
        ENABLE_OPENID_SIGNIN = true;
        ENABLE_OPENID_SIGNUP = true;
        WHITELISTED_URIS = "auth.wanderingcrow.net";
      };
      mailer = {
        ENABLED = true;
      };
    };
    secrets = {
      mailer = {
        SMTP_ADDR = config.sops.secrets."generic/smtp/server".path;
        SMTP_PORT = config.sops.secrets."generic/smtp/port".path;
        USER = config.sops.secrets."generic/smtp/user".path;
        PASSWD = config.sops.secrets."generic/smtp/pass".path;
      };
    };
  };
}