{ config, lib, pkgs, ... }:
let
  cfg = config.my.services.drone;
  secrets = config.age.secrets;
in {
  config = lib.mkIf cfg.enable {
    systemd.services.drone-server = {
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        EnvironmentFile = [ cfg.sharedSecretFile ];
        Environment = [
          "DRONE_DATABASE_DRIVER=sqlite3"
          "DRONE_DATABASE_DATASOURCE=/var/lib/drone-server/drone.sqlite"
          "DRONE_SERVER_HOST=${cfg.vhostName}"
          "DRONE_SERVER_PROTO=https"
          "DRONE_SERVER_PORT=:${toString cfg.port}"
          "DRONE_USER_CREATE=username:${cfg.admin},admin:true"
          "DRONE_JSONNET_ENABLED=true"
          "DRONE_STARLARK_ENABLED=true"
        ];
        StateDirectory = "drone-server";
        ExecStart = "${pkgs.drone}/bin/drone-server";
        User = "drone";
        Group = "drone";
      };
    };

    users.users.drone = {
      isSystemUser = true;
      createHome = true;
      group = "drone";
    };

    users.groups.drone = { };

    services.nginx.virtualHosts."${cfg.vhostName}" = {
      forceSSL = true;
      useACMEHost = cfg.vhostName;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.port}";
        proxyWebsockets = true;
      };
    };

    security.acme.certs."${cfg.vhostName}" = {
      dnsProvider = "gcloud";
      credentialsFile = secrets."acme/credentials".path;
    };
  };
}