{ config, lib, pkgs, ... }:
let
  home = "/persist/var/lib/git";
  repos = {
    nixos = {
      path = "${home}/nixos.git";
      desc = "My NixOS Configurations";
      owner = "jras";
    };

    zettelkasten = {
      path = "${home}/zettelkasten.git";
      desc = "Knowledge management system";
      owner = "jras";
    };

    para = {
      path = "${home}/para.git";
      desc = "PARA note taking system";
      owner = "jras";
    };

    obsidian-wavez-theme = {
      path = "${home}/obsidian-wavez-theme.git";
      desc = "The bordeaux theme for Obsidian";
      owner = "jras";
    };

    astal-bar = {
      path = "${home}/astal-bar.git";
      desc = "A wayland bar in jsx";
      owner = "jras";
    };

    rustbook = {
      path = "${home}/rustbook.git";
      desc = "Follow along exercises of the rust book";
      owner = "jras";
    };

    genai = {
      path = "${home}/genai.git";
      desc = "Generative AI fooling around";
      owner = "jras";
    };
  };

  startScript = pkgs.writeShellScript "init-git-repos" ''
  ${lib.concatMapStrings ({ path, ... }: "${pkgs.git}/bin/git init --bare --shared ${path} && cd ${path} && ${pkgs.git}/bin/git branch -m main \n") (builtins.attrValues repos)} 
  '';
in
{
  networking.firewall.allowedTCPPorts = [ 80 8080 ];

  services.cgit.snorlax = {
    enable = true;
    group = "git";
    repos = repos;
  };

  systemd.services.init-repos = {
    description = "Initialize git repositories";
    wantedBy = [ "multi-user.target" ];
    restartTriggers = [ startScript ];

    serviceConfig = {
      Type = "oneshot";
      User = "git";
      Group = "git";
      ExecStart = startScript;
    };
  };

  users.groups.git = {};
  users.users.git = {
    isNormalUser = true;
    home = "${home}";
    homeMode = "0750";
    createHome = true;
    shell = pkgs.zsh;
    group = "git";
    openssh.authorizedKeys.keyFiles = [
      ../../public/id_tarrel.pub
      ../../public/id_work.pub
    ];
    packages = with pkgs; [ git ];
  };
  services.openssh.settings.AllowUsers = [ "git" ];

  age.secrets= {
    gitlab-init-root = {
      file = ../../secrets/gitlab-init-root.age;
      owner = "gitlab";
      group = "gitlab";
    };
    gitlab-db = {
      file = ../../secrets/gitlab-db.age;
      owner = "gitlab";
      group = "gitlab";
    };
    gitlab-jws = {
      file = ../../secrets/gitlab-jws.age;
      owner = "gitlab";
      group = "gitlab";
    };
    gitlab-otp = {
      file = ../../secrets/gitlab-otp.age;
      owner = "gitlab";
      group = "gitlab";
    };
    gitlab-secret = {
      file = ../../secrets/gitlab-secret.age;
      owner = "gitlab";
      group = "gitlab";
    };
  };


  services.gitlab = {
    enable = true;
    initialRootEmail = "jaspert.ras@gmail.com";
    initialRootPasswordFile = config.age.secrets.gitlab-init-root.path;
    secrets.dbFile = config.age.secrets.gitlab-db.path;
    secrets.jwsFile = config.age.secrets.gitlab-jws.path;
    secrets.otpFile = config.age.secrets.gitlab-otp.path;
    secrets.secretFile = config.age.secrets.gitlab-secret.path;
  };
}