{
  config,
  lib,
  pkgs,
  ...
}:
let
  domain = "git.jankremer.de";
in
{
  age.secrets.forgejo-mailer = {
    file = ../../modules/secrets/forgejo-mailer.age;
    owner = "forgejo";
  };
  age.secrets.forgejo-runner = {
    file = ../../modules/secrets/forgejo-runner.age;
    owner = "forgejo";
  };

  services = {
    forgejo = {
      enable = true;
      database.type = "postgres";
      lfs.enable = true;
      settings = {
        service.DISABLE_REGISTRATION = true;
        server = {
          DOMAIN = domain;
          ROOT_URL = "https://${domain}";
          START_SSH_SERVER = false;
          SSH_PORT = lib.head config.services.openssh.ports;
        };
        mailer = {
          ENABLED = true;
          SMTP_ADDR = "smtp.mail.me.com";
          SMTP_PORT = 587;
          FROM = "git@jankremer.de";
          USER = "janurskremer@me.com";
        };
        actions = {
          ENABLED = true;
          DEFAULT_ACTIONS_URL = "github";
        };
      };
      secrets = {
        mailer.PASSWD = config.age.secrets.forgejo-mailer.path;
      };
    };

    gitea-actions-runner = {
      package = pkgs.forgejo-runner;
      instances.nimbus = {
        enable = true;
        name = config.networking.hostName;
        url = "https://${domain}";
        tokenFile = config.age.secrets.forgejo-runner.path;
        labels = [
          "native:host"
        ];
      };
    };
  };
}