{ config, specialArgs, fqdn, ... }:
let
  gitlab_home = "/var/lib/gitlab";
  gitlab_host = "gitlab.old.${fqdn}";
in
{
  environment.persistence.save.directories = [
    gitlab_home
  ];

  systemd.timers.delay-gitlab-start = {
    after = [ "docker.service" "docker.socket" ];
    wantedBy = [ "timers.target" "network-online.target" ];
    timerConfig = {
      OnActiveSec = "30sec";
      Unit = "docker-gitlab.service";
    };
  };

  virtualisation.oci-containers.containers.gitlab = {
    image = "gitlab/gitlab-ee:latest";
    autoStart = true;
    ports = [
      "127.0.0.1:8080:80"
      "2222:22"
    ];
    volumes = [
      "${gitlab_home}/config:/etc/gitlab"
      "${gitlab_home}/logs:/var/log/gitlab"
      "${gitlab_home}/data:/var/opt/gitlab"
    ];
    environment = {
      GITLAB_OMNIBUS_CONFIG="external_url 'https://${gitlab_host}'; nginx['listen_https'] = false;";
    };
    extraOptions = [
      "--shm-size=256m"
      "--hostname=${gitlab_host}"
      "--pull=always"
    ];
  };

  systemd.services.docker-gitlab.after = [ "delay-gitlab.timer" ];

  networking.firewall.allowedTCPPorts = [
    2222
  ];

  services.gitlab-runner = {
    enable = true;
    services = {
      default = {
        registrationConfigFile = config.age.secrets.gitlab-runner-reg-config.path;
        dockerImage = "alpine";
        tagList = [
          "alpine"
          "default"
        ];
      };
    };
  };

  services.nginx.virtualHosts."${gitlab_host}" = {
    locations."/".proxyPass = "http://127.0.0.1:8080";
    serverAliases = [ "gitlab.${fqdn}" ];
    forceSSL = true;
    enableACME = true;
  };
}