{
  lib,
  pkgs,
  config,
  ...
}: let
  cfg = config.services.forgejo;
  srv = cfg.settings.server;
in {
  services.nginx = {
    virtualHosts.${cfg.settings.server.DOMAIN} = {
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
        client_max_body_size 512M;
      '';
      locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
    };
  };

  services.forgejo = {
    enable = true;
    database.type = "postgres";
    # Enable support for Git Large File Storage
    lfs.enable = true;
    settings = {
      server = {
        DOMAIN = "git.kylekrein.com";
        # You need to specify this to remove the port from URLs in the web UI.
        ROOT_URL = "https://${srv.DOMAIN}/";
        HTTP_PORT = 9777;
      };
      # You can temporarily allow registration to create an admin user.
      service.DISABLE_REGISTRATION = true;
      # Add support for actions, based on act: https://github.com/nektos/act
      actions = {
        ENABLED = true;
        DEFAULT_ACTIONS_URL = "github";
      };
      # Sending emails is completely optional
      # You can send a test email from the web UI at:
      # Profile Picture > Site Administration > Configuration >  Mailer Configuration
      mailer = {
        ENABLED = true;
        SMTP_ADDR = "mail.notthebees.org";
        FROM = "noreply@${srv.DOMAIN}";
        USER = "noreply@${srv.DOMAIN}";
      };
    };
    secrets = {
      mailer.PASSWD = config.sops.secrets."services/forgejo/mailer".path;
    };
  };

  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances.default = {
      enable = true;
      name = "stargate";
      url = "https://git.kylekrein.com";
      # gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml
      settings = {
        runner = {
          capacity = 4;
        };
      };
      # Obtaining the path to the runner token file may differ
      # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
      tokenFile = config.sops.secrets."services/forgejo/runner".path;
      hostPackages = with pkgs; [
        nix
      ];
      labels = [
        #"ubuntu-latest:docker://node:16-bullseye"
        ## optionally provide native execution on the host:
        "native:host"
        "nixos:host"
      ];
    };
  };

  sops.secrets."services/forgejo/mailer" = {
    mode = "400";
    owner = "forgejo";
  };
  sops.secrets."services/forgejo/runner" = {
    mode = "400";
    owner = "forgejo";
  };
}