{{ $name := printf "%s-forgejo" .Release.Name }}
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: {{ $name }}
spec:
  chartRef:
    kind: OCIRepository
    name: "{{ .Release.Name }}-forgejo"
  install:
    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
  test:
    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
  upgrade:
    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
  driftDetection:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  valuesFrom:
    - kind: Secret
      name: {{ $name }}
      valuesKey: "DATABASE_PASSWD"
      targetPath: "gitea.config.database.PASSWD"
    - kind: Secret
      name: {{ $name }}
      valuesKey: "MAILER_PASSWD"
      targetPath: "gitea.config.mailer.PASSWD"
  values:
    {{- $host := .Values.ingress.host | default (printf "git.%s" .Values.commons.ingress.domain) }}
    redis-cluster:
      enabled: false
    redis:
      enabled: true
      replica:
        # just one replica
        replicaCount: {{ .Values.commons.redis.replicas }}
      metrics:
        enabled: true
        serviceMonitor:
          enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
          additionalLabels:
            {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
        prometheusRule:
          # empty rules
          enabled: false
          # {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
          additionalLabels:
            {{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }}
          rules: []
    postgresql-ha:
      enabled: false
    gitea:
      admin:
        username: false
        password: false
      config:
        APP_NAME: {{ .Values.commons.theme.title | quote }}
        database:
          DB_TYPE: postgres
          HOST: {{ .Values.databases.forgejo.host | quote }}
          USER: {{ .Values.databases.forgejo.username | quote }}
          NAME: {{ .Values.databases.forgejo.name | quote }}
        mailer:
          ENABLED: true
          PROTOCOL: "smtp+starttls"
          SMTP_ADDR: {{ .Values.mail.host | default .Values.commons.mail.host | quote }}
          SMTP_PORT: 587
          USER: {{ .Values.commons.mail.username | quote }}
          FROM: {{ .Values.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "git" .Values.commons.mail.from) | quote }}
        server:
          LFS_START_SERVER: true
        openid:
          ENABLE_OPENID_SIGNUP: false
        oauth2_client:
          OPENID_CONNECT_SCOPES: "email gitea"
          ENABLE_AUTO_REGISTRATION: true
          USERNAME: nickname
          UPDATE_AVATAR: true
          ACCOUNT_LINKING: disabled
        service:
          DISABLE_REGISTRATION: true
          ALLOW_ONLY_EXTERNAL_REGISTRATION: true
        picture:
          DISABLE_GRAVATAR: true
          ENABLE_FEDERATED_AVATAR: true
        federation:
          ENABLED: true
      oauth:
        - name: "authentik"
          provider: "openidConnect"
          autoDiscoverUrl: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/application/o/{{ $name }}/"
          existingSecret: {{ $name }}
          scopes: "email gitea"
          groupClaimName: groups
          adminGroup: admin

      metrics:
        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
        serviceMonitor:
          enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
          labels:
            {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}

    ingress:
      enabled: true
      annotations:
        {{- with .Values.commons.ingress.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
        {{- with .Values.ingress.forgejo.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      hosts:
        - host: "{{ $host }}"
          paths:
            - path: /
              pathType: Prefix
      {{- if .Values.commons.ingress.tls.enabled }}
      tls:
        {{- with .Values.commons.ingress.tls.override }}
        {{- toYaml . | nindent 8 }}
        {{- else }}
        - secretName: "mycloud-forgejo-cert"
          hosts:
            - "{{ $host }}"
        {{- end }}
      {{- end }}

    {{- if .Values.commons.persistence.hostPath.enabled }}
    # TODO has no effect
    extraInitContainers:
      - name: "take-ownership"
        image: "alpine:3"
        command: ["chown", "-R", "1000:1000", "/data" ]
        volumeMounts:
          - name: "data"
            mountPath: /data

    extraVolumes:
      - name: data
        hostPath:
          path: "{{ .Values.commons.persistence.hostPath.prefix }}/git-small/forgejo"
          type: Directory
    {{- end }}

    persistence:
      enabled: true
      {{- with .Values.persistence.forgejo }}
      size: {{ .size }}
      {{- with .storageClass | default $.Values.commons.persistence.storageClass }}
      storageClass: {{ . }}
      {{- end }}
      {{- if $.Values.commons.persistence.hostPath.enabled }}
      create: false
      mount: false
      {{- end }}
      {{- end }}