{ config, self, ... }:
let
  as = config.age.secrets;
  d = self.lib.data.services.buildbot;
  g = self.lib.data.services.git;
  bbSecret = {
    owner = "buildbot";
    group = "buildbot";
  };
in
{
  services = {
    buildbot-nix.master = {
      enable = true;
      dbUrl = "postgresql://buildbot@localhost/buildbot";
      workersFile = as.buildbot-workers.path;
      authBackend = "gitea";
      gitea = {
        enable = true;
        tokenFile = as.buildbot-gitea-token.path;
        oauthSecretFile = as.buildbot-oauth-secret.path;
        instanceUrl = g.extUrl;
        oauthId = "2bfd5c46-43a7-4d98-b443-9176dc0a9452";
        topic = "buildbot-enable";
      };
      admins = [ "pyrox" ];
      domain = d.extUrl;
      useHttps = true;
    };
    postgresql = {
      ensureUsers = [
        {
          name = "buildbot";
          ensureDBOwnership = true;
          ensureClauses.login = true;
        }
      ];
      ensureDatabases = [ "buildbot" ];
    };
    buildbot-master.port = 6915;
  };
  age.secrets = {
    buildbot-gitea-token = bbSecret // {
      file = ./secrets/buildbot-gitea-token.age;
    };
    buildbot-oauth-secret = bbSecret // {
      file = ./secrets/buildbot-oauth-secret.age;
    };
    buildbot-workers = bbSecret // {
      file = ./secrets/buildbot-workers.age;
    };
  };
}