{ config, lib, pkgs, ... }:
let
  cfg = config.alisceon.forgejo;
  forgejoDomain = cfg.domain;

  generateForgejoRunnerToken = pkgs.writeShellApplication {
    name = "generate-forgejo-runner-token";
    runtimeInputs = [
      pkgs.coreutils
      pkgs.util-linux
    ];
    text = ''
      token_file=${lib.escapeShellArg "/var/lib/forgejo/runner_token"}

      if [ -s "$token_file" ]; then
        chmod 0600 "$token_file"
        chown root:root "$token_file"
        exit 0
      fi

      install -d -m 0750 -o forgejo -g forgejo /var/lib/forgejo
      token="$(runuser -u forgejo -- env \
        FORGEJO_WORK_DIR=/var/lib/forgejo \
        FORGEJO_CUSTOM=/var/lib/forgejo/custom \
        ${lib.getExe pkgs.forgejo-lts} actions generate-runner-token)"

      umask 0077
      printf 'TOKEN=%s\n' "$token" > "$token_file"
      chown root:root "$token_file"
      chmod 0600 "$token_file"
    '';
  };
in
{
  options.alisceon.forgejo.domain = lib.mkOption {
    type = lib.types.str;
    description = "Public domain name for Forgejo.";
  };

  config = {
    services.forgejo = {
      enable = true;
      package = pkgs.forgejo-lts;
      database.type = "sqlite3";
      lfs.enable = true;
      settings = {
        server = {
          DOMAIN = forgejoDomain;
          ROOT_URL = "https://${forgejoDomain}/";
          HTTP_ADDR = "127.0.0.1";
          HTTP_PORT = 3000;
          SSH_DOMAIN = forgejoDomain;
          SSH_PORT = 22;
          DISABLE_SSH = false;
        };
        session.COOKIE_SECURE = true;
        service = {
          DISABLE_REGISTRATION = true;
          REQUIRE_SIGNIN_VIEW = false;
        };
        actions.ENABLED = true;
        repository = {
          DEFAULT_PRIVATE = "private";
          DISABLE_HTTP_GIT = false;
        };
        "cron.archive_cleanup" = {
          ENABLED = true;
          RUN_AT_START = true;
          SCHEDULE = "@every 24h";
          OLDER_THAN = "72h";
        };
        log.LEVEL = "Warn";
      };
    };

    services.gitea-actions-runner = {
      package = pkgs.forgejo-runner;
      instances.alisceon-core-podman = {
        enable = true;
        name = "alisceon-core-podman";
        url = "https://${forgejoDomain}";
        tokenFile = "/var/lib/forgejo/runner_token";
        labels = lib.mkDefault [
          "podman"
        ];
        settings = {
          container = {
            network = "host";
            privileged = false;
            valid_volumes = [ ];
          };
          cache.enabled = false;
        };
      };
    };

    systemd.services.forgejo-runner-token = {
      description = "Generate Forgejo runner registration token";
      wantedBy = [ "multi-user.target" ];
      after = [ "forgejo.service" ];
      requires = [ "forgejo.service" ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        StandardError = "journal+console";
        StandardOutput = "journal+console";
      };
      script = lib.getExe generateForgejoRunnerToken;
    };

    systemd.services."gitea-runner-alisceon\\x2dcore\\x2dpodman" = {
      after = [ "forgejo-runner-token.service" ];
      requires = [ "forgejo-runner-token.service" ];
    };

    environment.systemPackages = [ pkgs.forgejo-lts ];
  };
}