# SPDX-FileCopyrightText: V <v@unfathomable.blue>
# SPDX-License-Identifier: OSL-3.0

{ pkgs, ... }:

{
  services.gerrit = {
    enable = true;
    serverId = "f1c53737-3ce4-4b28-9e99-825cacff1cf8";

    # Here we'd set listenAddress to a UNIX socket path, except
    # Gerrit for some reason does not support listening on them.
    # TODO(V): Figure out why.

    plugins = [
      pkgs.gerrit-oauth-provider
    ];

    settings = {
      # Proxy through Caddy.
      httpd.listenUrl = "proxy-https://[::]:8080/";
      gerrit.canonicalWebUrl = "https://review.unfathomable.blue/";

      # Authenticate with Google.
      auth.type = "OAUTH";
      auth.gitBasicAuthPolicy = "HTTP";
      plugin.gerrit-oauth-provider-google-oauth = {
        client-id = "196183758720-sjo2ekbchb0ki24gn58g6grbdrj3uoqh.apps.googleusercontent.com";
        # client-secret is set in /var/lib/gerrit/etc/secure.config.
        use-email-as-username = true;
      };
    };
  };

  services.caddy.extraConfig = ''
    review.unfathomable.blue {
      import common
      reverse_proxy localhost:8080
    }
  '';
}