{
  pkgs,
  lib,
  config,
  ...
}:
{
  sops.secrets."postgres/gitea_dbpass" = {
    sopsFile = ../../../.secrets/hetzner/postgres.yaml; # bring your own password file
    owner = config.services.forgejo.user;
  };

  services.forgejo = {
    enable = true;
    user = "gitea";
    group = "gitea";
    stateDir = "/var/lib/gitea";
    database = {
      name = "gitea";
      user = "gitea";
      type = "postgres";
      passwordFile = config.sops.secrets."postgres/gitea_dbpass".path;
    };
    settings.service.DISABLE_REGISTRATION = true;
    settings.server = {
      DOMAIN = "git.hoyer.xyz";
      ROOT_URL = "https://git.hoyer.xyz/";
      HTTP_PORT = 3001;
    };
    settings.log.LEVEL = "Warn";
  };

  users.users.gitea = {
    home = "/var/lib/gitea";
    useDefaultShell = true;
    group = "gitea";
    isSystemUser = true;
  };

  users.groups.gitea = { };

  sops.secrets."forgejo-runner-token" = {
    sopsFile = ../../../.secrets/hetzner/forgejo-runner-token.yaml; # bring your own password file
  };

  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances.default = {
      enable = true;
      name = "base";
      url = "https://git.hoyer.xyz";
      tokenFile = config.sops.secrets.forgejo-runner-token.path;
      settings.container.network = "host";
      labels = [
        "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
        "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
        "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
        "nix:docker://git.hoyer.xyz/harald/nix-runner:latest"
      ];
    };
  };
}