{ config, pkgs, lib, ... }:
let
  sops.secrets = {
    "gitea/web-secret-provider/Drift" = {
      owner = "gitea";
      group = "gitea";
      restartUnits = [ "gitea-web-secret-provider@Drift" ];
    };
    "gitea/web-secret-provider/Projects" = {
      owner = "gitea";
      group = "gitea";
      restartUnits = [ "gitea-web-secret-provider@Projects" ];
    };
    "gitea/web-secret-provider/Kurs" = {
      owner = "gitea";
      group = "gitea";
      restartUnits = [ "gitea-web-secret-provider@Kurs" ];
  };

  cfg = config.services.gitea;

  program = pkgs.writers.writePython3 "gitea-web-secret-provider" {
    libraries = with pkgs.python3Packages; [ requests ];
    makeWrapperArgs = [
      "--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"
    ];
  } (builtins.readFile ./gitea-web-secret-provider.py);
in
{

  # https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers
  # %i - instance name (after the @)
  # %d - secrets directory
  # %s - /var/lib
  systemd.services = {
    "gitea-web-secret-provider@" = {
      description = "Gitea web secret provider";
      wantedBy = [ "multi-user.target" ];
      requires = [ "gitea.service" "network.target" ];
      serviceConfig = {
        Type = "oneshot";
        ExecStart = let
          args = lib.cli.toGNUCommandLineShell { } {
            org = "%i";
            token-path = "%d/token";
            api-url = "${cfg.settings.server.ROOT_URL}api/v1";
            key-dir = "%s/%i/keys";
            authorized-keys-path = "%s/gitea-web/authorized_keys.d/%i";
            rrsync-path = "${pkgs.rrsync}/bin/rrsync";
            web-dir = "%s/gitea-web/web";
          };
        in "${program} ${args}";
        User = "gitea";
        Group = "gitea";
        Restart = "always";

        StateDir = "%i";
        WorkingDirectory = "%s/%i";

        # Hardening
        NoNewPrivileges = true;
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectSystem = true;
        ProtectHome = true;
        ProtectControlGroups = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        MemoryDenyWriteExecute = true;
        LockPersonality = true;
      };
    };
  }
  //
  builtins.listToAttrs (map (org: lib.nameValuePair "gitea-web-secret-provider@${org}" {
      serviceConfig.LoadCredential = [
        "token:${config.sops.secrets."gitea/web-secret-provider/${org}".path}"
      ];
  }));

  systemd.timers = {
    "gitea-web-secret-provider@" = {
      description = "Run the Gitea web secret provider";
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "daily";
        RandomizedDelaySec = "1h";
        Persistent = true;
        Unit = "gitea-web-secret-provider@%i.service";
      };
    };
  }
  //
  builtins.listToAttrs (map (org: lib.nameValuePair "gitea-web-secret-provider@${org}" { }));

  # services.nginx.virtualHosts.
}