{ config, ... }:
let
  hostAddress = "10.0.1.18";
  localAddress = "10.0.4.18";
  httpPort = 3000;
  sshPort = 2222;
  rootUrl = "https://gitea.mjallen.dev/";
  stateDir = "/media/nas/ssd/nix-app-data/gitea";
  dataDir = "/var/lib/gitea";
  secretsDir = "/run/secrets/jallen-nas/gitea";
  mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path;
  metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path;
in
{
  containers.gitea = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostAddress;
    localAddress = localAddress;

    bindMounts = {
      ${dataDir} = {
        hostPath = stateDir;
        isReadOnly = false;
      };
      secrets = {
        hostPath = secretsDir;
        isReadOnly = true;
        mountPoint = secretsDir;
      };
    };

    config = { lib, ... }:
      {
        services.gitea = {
          enable = true;
          stateDir = dataDir;
          useWizard = false;
          mailerPasswordFile = mailerPasswordFile;
          metricsTokenFile = metricsTokenFile;
          settings = {
            server = {
              DOMAIN = "jallen-nas";
              HTTP_ADDR = "0.0.0.0";
              HTTP_PORT = httpPort;
              PROTOCOL = "http";
              ROOT_URL = rootUrl;
              SSH_PORT = sshPort;
              # SSH_LISTEN_PORT = sshPort;
            };
            service = {
              REGISTER_EMAIL_CONFIRM = false;
              ENABLE_CAPTCHA = false;
              DISABLE_REGISTRATION = true;
              ENABLE_OPENID_SIGNIN = false;
              ENABLE_LDAP_SIGNIN = false;
              ENABLE_SSH_SIGNIN = true;
              ENABLE_BUILTIN_SSH_SERVER = true;
              ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
            };
          };
        };

        users.users.gitea = {
          extraGroups = [ "keys" ];
        };

        networking = {
          firewall = {
            enable = true;
            allowedTCPPorts = [ httpPort sshPort 22 ];
          };
          # Use systemd-resolved inside the container
          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
          useHostResolvConf = lib.mkForce false;
        };

        # Create and set permissions for required directories
        system.activationScripts.gitea-dirs = ''
          mkdir -p /var/lib/gitea
          chown -R gitea:gitea /var/lib/gitea
          chmod -R 775 /var/lib/gitea
          mkdir -p /run/secrets/jallen-nas
          chown -R gitea:gitea /run/secrets/jallen-nas
          chmod -R 775 /run/secrets/jallen-nas
        '';

        services.resolved.enable = true;
        system.stateVersion = "23.11";
      };
  };

  networking.nat = {
    forwardPorts = [
      {
        destination = "${localAddress}:${toString httpPort}";
        sourcePort = httpPort;
      }
      {
        destination = "${localAddress}:${toString 22}";
        sourcePort = sshPort;
      }
      # {
      #   destination = "${localAddress}:${toString 22}";
      #   sourcePort = 22;
      # }
    ];
  };
}