{ config, pkgs, secrets, user, domain, ... }: 
let git-user = "git"; in
{
  sops.secrets = {
    "postgres-pw" = { owner = config.services.gitea.user; };
  };

  users = {
    users = {
      "${user}".extraGroups = [ git-user ];
      "${git-user}" = {
        isSystemUser = true;
        group = git-user;
        useDefaultShell = true;
        home = config.services.gitea.stateDir;
        openssh.authorizedKeys.keys = config.users.users."${user}".openssh.authorizedKeys.keys;
      };
    };
    groups."${git-user}" = {};
  };

  services.gitea = {
    enable = true;
    package = pkgs.gitea;
    group = git-user;  
    user = git-user; 
    appName = "NxGit";
    stateDir = "/var/lib/gitea"; # default
    useWizard = false; # default
    # camoHmacKeyFile = ;
    database = {
      createDatabase = false; # default
      host = config.services.postgresql.settings.listen_addresses;
      port = config.services.postgresql.settings.port;
      passwordFile = config.sops.secrets."postgres-pw".path;
      socket = null;
      type = "postgres";
      name = "gitea"; # default
      user = "gitea"; # default
    };
    dump = {
      enable = true;
      backupDir = "/var/backup/gitea";
      file = "gitea-dump.zip"; # default = chosen by gitea
      interval = "daily";
      type = "zip"; # default
    };
    # extraConfig = null; # default
    # lfs = {
    #   enable = false; # default
    #   contentDir = "${config.services.gitea.stateDir}/data/lfs"; # default
    # };
    # mailerPasswordFile = null; # default
    # metricsTokenFile = null; # default
    # repositoryRoot = "${config.services.gitea.stateDir}/repositories"; # default
    settings = {
      log = {
        LEVEL = "Info";
        # LEVEL = "Error";
      };
      server = {
        DISABLE_SSH = false; # default
        START_SSH_SERVER = false; # default
        SSH_LISTEN_HOST = "0.0.0.0";
        SSH_PORT = secrets.ssh.port;
        DOMAIN = "git.${domain}";
        SSH_DOMAIN = "ssh.${domain}";
        # HTTP_ADDR = "${config.services.gitea.settings.server.DOMAIN}";
        # HTTP_PORT = 3000; # default
        # PROTOCOL = "http"; # default
        ROOT_URL = "https://git.${domain}/"; # default
      };
      session = {
        COOKIE_SECURE = true;
      };
      service = {
        DISABLE_REGISTRATION = true;
      };
      ui = {
        DEFAULT_THEME = "pitchblack";
        THEMES = "gitea,arc-green,pitchblack";
      };
    };
  };
  system.activationScripts = let
    # theme = pkgs.fetchFromGitHub {
    #   owner = "unixtensor";
    #   repo = "Gitea-Pitch-Black";
    #   rev = "v1.15.X.2";
    #   hash = "sha256-Eibgoc3BJUXWdq8irgXea09fAvfKx2eQrJotp3P5DTg=";
    # };
    theme = pkgs.fetchFromGitea {
      domain = "git.${domain}";
      owner = "nx2";
      repo = "Gitea-Pitch-Black";
      rev = "0.1.0";
      hash = "sha256-pU4YhgcPOT3PTcmBTjNE3FcyJgl39JGP41ckhRUKN7Y=";
    };
  in {
    "gitea-theme" = /* bash */ ''
      mkdir -p ${config.services.gitea.stateDir}/custom/public/assets/css/
      ln -fs ${theme}/theme-pitchblack.css ${config.services.gitea.stateDir}/custom/public/assets/css/theme-pitchblack.css
      chown -R ${git-user}:${git-user} ${config.services.gitea.stateDir}/custom/ 
    '';
  };
}