{
  pkgs,
  config,
  flakes,
  secrets,
  ...
}:
{
  sops.secrets.forgejo = {
    sopsFile = "${secrets}/forgejo.yaml";
    key = "email_password";
    format = "yaml";
  };
  users = {
    groups = {
      forgejo = { };
      forgejo-runner = { };
    };
    users.forgejo = {
      isSystemUser = true;
      group = "forgejo";
      extraGroups = [ "storage" ];
    };
    users.forgejo-runner = {
      isSystemUser = true;
      group = "forgejo-runner";
    };
  };

  services.nginx.virtualHosts."git.donsz.nl" = {
    forceSSL = true;
    enableACME = true;
    extraConfig = ''
      client_max_body_size 512M;
    '';

    locations."/" = {
      proxyPass = "http://[::1]:13121";
      extraConfig = ''
        rewrite ^/user/login.*$ /user/oauth2/pocketid last;
      '';
    };
  };

  services.forgejo = {
    enable = true;
    lfs.enable = true;
    user = "forgejo";
    group = "forgejo";
    repositoryRoot = "/storage/storage/git";

    database = {
      type = "postgres";
      name = "forgejo";
      createDatabase = false;
    };

    settings = {
      DEFAULT = {
        APP_NAME = "jana's git server";
        APP_SLOGAN = "meow!";
      };
      server = {
        DOMAIN = "git.donsz.nl";
        ROOT_URL = "https://git.donsz.nl/";
        HTTP_PORT = 13121;
      };
      service = {
        DISABLE_REGISTRATION = false;
        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;

        SHOW_REGISTRATION_BUTTON = false;
        ENABLE_PASSWORD_SIGNIN_FORM = false;
      };
      openid = {
        ENABLE_OPENID_SIGNUP = true;
      };
      oauth2_client = {
        REGISTER_EMAIL_CONFIRM = false;
        ENABLE_AUTO_REGISTRATION = true;
        UPDATE_AVATAR = true;
        ACCOUNT_LINKING = "auto";
      };
      actions = {
        ENABLED = true;
        DEFAULT_ACTIONS_URL = "github";
      };
      repository = {
        DEFAULT_PRIVATE = "private";
        DISABLE_HTTP_GIT = true;
      };
      mailer = {
        ENABLED = true;
        SMTP_ADDR = "smtp.fastmail.com";
        FROM = "git@donsz.nl";
        USER = "git@donsz.nl";
        PASSWD = config.sops.secrets.forgejo.path;
      };
    };
  };

  sops.secrets.forgejo-runner = {
    sopsFile = "${secrets}/forgejo-runner.env";
  };

  nix = {
    settings = {
      trusted-users = [
        "forgejo-runner"
      ];
      trusted-public-keys = [
        "jana.cachix.org-1:LN0lzHx7QH1RBoDn3+psi4HOEAXW3EqRa/u0ncQ1XBE="
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
      ];
      substituters = [
        "https://jana.cachix.org/"
        "https://cache.nixos.org/"
      ];
      trusted-substituters = [
        "https://jana.cachix.org/"
        "https://cache.nixos.org/"
      ];
    };
  };

  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;

    instances.fili = {
      enable = true;
      name = "forgejo-runner-01";
      tokenFile = config.sops.secrets.forgejo-runner.path;
      url = "https://git.donsz.nl/";
      labels = [
        "nix:host"
        "docker:docker://node:16-bullseye"
        "ubuntu-latest:docker://node:16-bullseye"
      ];
      settings = { };

      hostPackages = with pkgs; [
        # default ones
        bash
        coreutils
        curl
        gawk
        gitMinimal
        gnused
        nodejs
        wget

        # used in deployments
        flakes.colmena.defaultPackage."x86_64-linux"
        lix
        openssh
      ];
    };
  };

  virtualisation.docker = {
    daemon.settings = {
      fixed-cidr-v6 = "fd00::/80";
      ipv6 = true;
    };
  };
  networking.firewall.trustedInterfaces = [ "br-+" ];
}