{ modulesPath, config, lib, pkgs, ... }:
let
  storage-device = "/dev/disk/by-id/scsi-0DO_Volume_git-storage-1";
  storage-dir = "/srv";
in
{
  imports = [
     "${toString modulesPath}/virtualisation/digital-ocean-image.nix"
  ];

  fileSystems."${storage-dir}" = { 
    device = storage-device;
  };

  environment.systemPackages = with pkgs;
  [ jq git gitolite gitea nginx ];
  services.openssh.enable = true;
  networking.firewall.allowedTCPPorts = [ 22 80 443 ];

  users.users.root.openssh.authorizedKeys.keys = [
    (builtins.readFile "/home/mike/.ssh/id_mops.pub")
  ];

  services.gitolite = {
    enable = true;
    adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2PjlhL4sPfuV10BeHGZysX5M9i5mIHwZ4EKi9ArauJ7z1FhGJiqlRoDgRA8RwdENfv+CayoJf6Z3Nu/U/diozqvMaQ6mXQbb3HysZ/w2ntw0d9PFYSfFIIMVUPqcECspgbolAIZHoJDLPG7dlqkJvVfAcA/uQeeLeJr3z6zp3BYs9mGZ6RYmwxo7069QimCfMb5nicLaiUnC1lXNSbK3ioPUgC5ezcgLDylXZ+zsPpZaYcl405SbAVVPYxMmQ8Yn5B+v5NN/MQSiKe3JsElWjTUlzcSKPTNZXeSN2wEILUI6UPNBkZkcycgpuJFbWJkTkNo4oUN9OsdSn7hZMlA1Q0o+JmNQJB2MdwLXb6ELRi8jkvmKeje/QFrwg/p5wBZQATRq8R9NgW7SbdmMZ5/ImD0X8afb8M43P5+5BqOYF4jjBN1MrR5vAB2FGDibgMCXwYo1cvk+VeFzc/c5YVThHArDiNsoDClhEfLaWc70NdF1LkGKhc9fZEsf2mY/1Tw7n8jBbO15nzcG4PKqp7d7d+9IwtLrk7mZ2UP+y6tl40nXCUkd8XXx70TLQZiXlM8jhWQUqLT0yBQAPXB6VUlpN4yCCi2T7Co83fG1ZLjPRxWM9k1IqxjXWVdoy5XVhEyh+eSDpgd3XFeys9gSX2wQlzodTVkMvXw7VKxoPtl8HHw== mike@betamike.com";
    # need an intermediate data directory with permissions for the gitolite user
    # otherwise this won't work between instances of the droplet
    dataDir = "${storage-dir}/data/gitolite";
  };

  services.gitea = {
    enable = true;
    stateDir = "${storage-dir}/data/gitea";
    domain = "code.betamike.com";
    rootUrl = "https://code.betamike.com";

    # will be reverse proxied through nginx for TLS termination
    httpAddress = "localhost";
    httpPort = 3000;

    # only send cookies over tls
    cookieSecure = true;

    disableRegistration = true;

    settings = {
      server.LANDING_PAGE = "explore";
      "repository.upload" = {
        FILE_MAX_SIZE = 50;
      };
    };
  };

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;

    virtualHosts = {
      "code.betamike.com" = {
        enableACME = true;
        forceSSL = true;

        locations."/" = {
          proxyPass = "http://localhost:3000";
        };
      };
    };
  };

  security.acme.acceptTerms = true;
  security.acme.certs = {
    "code.betamike.com".email = "mike@betamike.com";
  };
}