{ config, pkgs, lib, ... }:
let
  cfg = config.my.services.sourcegraph;
  secrets = config.age.secrets;
in
{
  options.my.services.sourcegraph = with lib; {
    enable = mkEnableOption "sourcegraph server";
    vhostName = mkOption {
      type = types.str;
      example = "cs.fcuny.net";
      description = "Name for the virtual host";
    };
  };

  config = lib.mkIf cfg.enable {
    virtualisation.oci-containers.containers.sourcegraph = {
      image = "sourcegraph/server:3.31.2";

      ports = [ "127.0.0.1:7080:7080" ];

      volumes = [
        "/var/lib/sourcegraph/etc:/etc/sourcegraph"
        "/var/lib/sourcegraph/data:/var/opt/sourcegraph"
      ];

      # Sourcegraph needs a higher nofile limit, it logs warnings
      # otherwise (unclear whether it actually affects the service).
      extraOptions = [ "--ulimit" "nofile=10000:10000" ];
    };

    services.nginx.virtualHosts."${cfg.vhostName}" = {
      forceSSL = true;
      useACMEHost = cfg.vhostName;
      listen = [
        {
          addr = "100.85.232.66";
          port = 443;
          ssl = true;
        }
        {
          addr = "100.85.232.66";
          port = 80;
          ssl = false;
        }
      ];
      locations."/" = { proxyPass = "http://127.0.0.1:7080"; };
    };

    security.acme.certs."${cfg.vhostName}" = {
      dnsProvider = "gcloud";
      credentialsFile = secrets."acme/credentials".path;
    };

    my.services.backup = {
      paths = [ "/var/lib/sourcegraph/etc" "/var/lib/sourcegraph/data" ];
      exclude = [
        "/var/lib/sourcegraph/data/grafana.log"
        "/var/lib/sourcegraph/data/grafana/"
        "/var/lib/sourcegraph/data/grafana/"
        "/var/lib/sourcegraph/data/jaeger.log"
        "/var/lib/sourcegraph/data/minio.log"
        "/var/lib/sourcegraph/data/minio/"
        "/var/lib/sourcegraph/data/prometheus.log"
        "/var/lib/sourcegraph/data/prometheus/"
        "/var/lib/sourcegraph/data/redis/"
      ];
    };
  };
}