{ config, pkgs, lib, ... }:
let
  organizations = [
     "Drift"
     "Projects"
     "Kurs"
  ];

  cfg = config.services.gitea;

  program = pkgs.writers.writePython3 "gitea-web-secret-provider" {
    libraries = with pkgs.python3Packages; [ requests ];
    flakeIgnore = [
      "E501" # Line over 80 chars lol
      "E201" # "whitespace after {" < this looks better bruh
      "E202" # "whitespace after }" < brot
      "E251" # unexpected spaces around keyword / parameter equals < megabrot
      "W391" # Newline at end of file < nei vil ikke
    ];
    makeWrapperArgs = [
      "--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"
    ];
  } (lib.pipe ./gitea-web-secret-provider.py [
    builtins.readFile
    (lib.splitString "\n")
    (lib.drop 2)
    lib.concatLines
  ]);
in
{
  sops.secrets."gitea/web-secret-provider/token" = {
    owner = "gitea";
    group = "gitea";
    restartUnits = [
      "gitea-web-secret-provider@.service"
      "gitea-web-secret-provider@.timer"
    ]
    ++ (map (org: "gitea-web-secret-provider@${org}.service") organizations)
    ++ (map (org: "gitea-web-secret-provider@${org}.timer") organizations);
  };

  # https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers
  # %i - instance name (after the @)
  # %d - secrets directory
  # %S - /var/lib
  systemd.services = {
    "gitea-web-secret-provider@" = {
      description = "Gitea web secret provider";
      requires = [ "gitea.service" "network.target" ];
      serviceConfig = {
        Type = "oneshot";
        ExecStart = let
          args = lib.cli.toGNUCommandLineShell { } {
            org = "%i";
            token-path = "%d/token";
            api-url = "${cfg.settings.server.ROOT_URL}api/v1";
            key-dir = "%S/%i/keys";
            authorized-keys-path = "%S/gitea-web/authorized_keys.d/%i";
            rrsync-path = "${pkgs.rrsync}/bin/rrsync";
            web-dir = "%S/gitea-web/web";
          };
        in "${program} ${args}";
        User = "gitea";
        Group = "gitea";
        StateDirectory = "%i";
        LoadCredential = [
          "token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
        ];

        # Hardening
        NoNewPrivileges = true;
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectSystem = true;
        ProtectHome = true;
        ProtectControlGroups = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        MemoryDenyWriteExecute = true;
        LockPersonality = true;
      };
    };
  };

  systemd.timers = {
    "gitea-web-secret-provider@" = {
      description = "Run the Gitea web secret provider";
      wantedBy = [ "timers.target" ];
      timerConfig = {
        RandomizedDelaySec = "1h";
        Persistent = true;
        Unit = "gitea-web-secret-provider@%i.service";
        OnCalendar = "daily";
      };
    };
  };

  systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;

  systemd.tmpfiles.settings."10-gitea-web-secret-provider"."/var/lib/gitea-web/authorized_keys.d".d = {
    user = "gitea";
    group = "gitea";
    mode = "700";
  };

  services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
}