{
  pkgs,
  config,
  lib,
  ...
}:
with lib;
let
  cfg = config.eboskma.woodpecker;
in
{
  options.eboskma.woodpecker = {
    enable = mkEnableOption "Woodpecker CI";
  };

  config = mkIf cfg.enable {
    services.woodpecker-server = {
      enable = true;
      environment = {
        WOODPECKER_GITEA = "true";
        WOODPECKER_GITEA_URL = "https://git.datarift.nl";
        WOODPECKER_HOST = "https://ci.datarift.nl";
        WOODPECKER_SERVER_ADDR = ":8100";
        WOODPECKER_ADMIN = "erwin";
        WOODPECKER_SESSION_EXPIRES = "48h";
      };
      environmentFile = config.sops.secrets.woodpecker-server.path;
    };
    services.woodpecker-agents.agents.local = {
      enable = true;
      environment = {
        WOODPECKER_SERVER = "localhost:9000";
        WOODPECKER_MAX_PROCS = "2";
        WOODPECKER_BACKEND = "docker";
        WOODPECKER_BACKEND_DOCKER_NETWORK = "podman";
        DOCKER_HOST = "unix:///run/podman/podman.sock";
      };
      environmentFile = [ config.sops.secrets.woodpecker-agent.path ];
      extraGroups = [ "podman" ];
    };

    environment.systemPackages = [ pkgs.woodpecker-cli ];

    networking.firewall.allowedTCPPorts = [
      8100
      9000
    ];
  };
}