{ config, pkgs, ... }:
let
  cfg = config.services.renovate-bot;
  s = config.sops.secrets;
in
{
  services.renovate-bot = {
    enable = true;
    schedule = "*-*-* *:00:00";
    logLevel = "info";

    platform = "gitlab";
    endpoint = "https://gitlab.wopus.dev/api/v4";
    tokenFile = s."renovate-bot/token".path;
    envFile = s."renovate-bot/env".path;

    extraPackages = with pkgs; [
      nodejs
      rustc
      cargo
      php
      phpPackages.composer
    ];

    settings = {
      autodiscover = true;
      labels = [ "renovate" ];
      rebaseWhen = "conflicted";

      cacheDir = "/var/lib/renovate-bot/cache";
      persistRepoData = true;
      prConcurrentLimit = 2;
      branchConcurrentLimit = 2;
    };
  };

  sops.secrets."renovate-bot/token" = {
    owner = cfg.user;
    group = cfg.group;
    mode = "0400";
    sopsFile = ../../secrets/stonehenge/default.yaml;
  };
  sops.secrets."renovate-bot/env" = {
    owner = cfg.user;
    group = cfg.group;
    mode = "0400";
    sopsFile = ../../secrets/stonehenge/default.yaml;
  };
}