{ pkgs, lib, config, ... }:
let
  inherit (config) networking;
  inherit (config.services) nginx sourcehut;
  inherit (config.users) users groups;
  inherit (config.security) gnupg;
  domain = "code.${networking.domain}";
in
{
security.gnupg.secrets = lib.genAttrs [
    "sourcehut/network-key"
    "sourcehut/service-key"
    "sourcehut/webhook-key"
    "sourcehut/oauth-client-secret"
  ] (p: let srhts = [
    "metasrht.service"
    "metasrht-api.service"
    "gitsrht.service"
    "listsrht.service"
    "todosrht.service"
    "todosrht-lmtp.service"
  ]; in {
  systemdConfig.before = srhts;
  systemdConfig.wantedBy = srhts;
});
services.minio = {
  #enable = true;
  accessKey = "12345";
  secretKey = "12345678";
  #region = "";
  browser = true;
};
#environment.systemPackages = [ pkgs.minio-client ];
services.sourcehut = {
  enable = true;
  listenAddress = "localhost";
  builds = {
    #enable = true;
    #enableWorker = true;
    images.nixos.unstable.x86_64 =
      import sourcehut/builds/nixos-unstable.nix
        "x86_64-linux" { inherit pkgs lib config; };
  };

  #dispatch.enable = true;
  #git.enable = true;
  #hub.enable = true;
  meta.enable = true;
  meta.port = 4999;
  #man.enable = true;
  #pages.enable = true;
  #paste.enable = true;
  todo.enable = true;
  #lists.enable = true;

  postgresql.enable = true;
  postfix.enable = true;
  redis.enable = true;
  nginx.enable = true;
  nginx.virtualHost = {
    useACMEHost = networking.domain;
  };
  settings = {
    "sr.ht" = {
      environment = "production";
      global-domain = domain;
      owner-email = "julm+srht@sourcephile.fr";
      owner-name = "Sourcephile";
      site-blurb = "a simple free software forge";
      site-info = "https://${domain}";
      site-name = "Sourcephile";
      # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen network
      network-key = gnupg.secrets."sourcehut/network-key".path;
      # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen service
      service-key = gnupg.secrets."sourcehut/service-key".path;
      #redis-host = "redis://localhost:6379/";
    };
    objects = {
      s3-upstream = "localhost";
      s3-access-key = "12345";
      s3-secret-key = pkgs.writeText "s3-secret-key" "12345678";
    };
    # nix shell nixpkgs#sourcehut.metasrht -c metasrht-manageuser -t admin -e mymail@gmail.com misuzu
    "builds.sr.ht" = {
      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
      oauth-client-id = "299db9f9c2013170";
      allow-free = true;
    };
    "dispatch.sr.ht" = {
      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
      oauth-client-id = "299db9f9c2013170";
    };
    "pages.sr.ht" = {
      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
      oauth-client-id = "299db9f9c2013170";
      s3-bucket = "pagesbuck";
    };
    "paste.sr.ht" = {
      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
      oauth-client-id = "299db9f9c2013170";
    };
    "man.sr.ht" = {
      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
      oauth-client-id = "299db9f9c2013170";
    };
    "meta.sr.ht" = {
    };
    "meta.sr.ht::settings" = {
      onboarding-redirect = "https://meta.${domain}";
      registration = false;
    };
    "meta.sr.ht::api" = {
      #internal-ipnet= [ "127.0.0.0/8" "::1/128" "192.168.0.0/16" "10.0.0.0/8"];
    };
    "todo.sr.ht" = {
      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
      oauth-client-id = "299db9f9c2013170";
    };
    "git.sr.ht" = {
      outgoing-domain = "https://git.${domain}";
      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
      oauth-client-id = "gitsrht";
    };
    "hub.sr.ht" = {
      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
      oauth-client-id = "299db9f9c2013170";
    };
    "lists.sr.ht" = {
      oauth-client-secret = gnupg.secrets."sourcehut/oauth-client-secret".path;
      oauth-client-id = "299db9f9c2013170";
    };
    "lists.sr.ht::worker" = {
      #sock = "/var/lib/postfix/queue/private/srht-lmtp";
    };
    # nix shell nixpkgs#sourcehut.coresrht -c srht-keygen webhook
    #webhooks.private-key= "U7yd/8mGs/v0O3kId4jpeSghUCa9tqP1fYQwSV8UOqo=";
    webhooks.private-key = gnupg.secrets."sourcehut/webhook-key".path;
    mail = {
      smtp-host = "localhost";
      smtp-port = 25;
      smtp-user = null;
      smtp-password = null;
      smtp-from = "julm+hut@${networking.domain}";
      error-to = "julm+hut+error@${networking.domain}";
      error-from = "julm+hut+error@${networking.domain}";
      pgp-privkey = null;
      pgp-pubkey = null;
      pgp-key-id = null;
    };
  };
};
fileSystems."/var/lib/sourcehut" = {
  device = "rpool/var/sourcehut";
  fsType = "zfs";
};
services.sanoid.datasets = {
  "rpool/var/sourcehut" = {
    use_template = [ "snap" ];
    daily = 31;
  };
};
services.nginx = {
  virtualHosts."~^(?<subdomain>[^.]+).hut.${networking.domain}" = {
    forceSSL = true;
    useACMEHost = networking.domain;
    globalRedirect = "$subdomain.code.${networking.domain}";
  };
  virtualHosts."meta.${domain}" = {
    locations."/query".extraConfig = lib.mkForce ''
      if ($request_method = 'OPTIONS') {
        ${nginx.configs.https_add_headers}
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain; charset=utf-8';
        add_header 'Content-Length' 0;
        return 204;
      }

      ${nginx.configs.https_add_headers}
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
      add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
    '';
  };
};
}