{ pkgs, lib, config, ... }:
{
  sops.secrets."postgres/gitea_dbpass" = {
    sopsFile = ../../../.secrets/hetzner/postgres.yaml; # bring your own password file
    owner = config.services.forgejo.user;
  };

  services.forgejo = {
    enable = true;
    user = "gitea";
    group = "gitea";
    stateDir = "/var/lib/gitea";
    database = {
      name = "gitea";
      user = "gitea";
      type = "postgres";
      passwordFile = config.sops.secrets."postgres/gitea_dbpass".path;
    };
    settings.service.DISABLE_REGISTRATION = true;
    settings.server = {
      DOMAIN = "git.hoyer.xyz";
      ROOT_URL = "https://git.hoyer.xyz/";
      HTTP_PORT = 3001;
    };
    settings.log.LEVEL = "Warn";
  };

  users.users.gitea = {
    home = "/var/lib/gitea";
    useDefaultShell = true;
    group = "gitea";
    isSystemUser = true;
  };

  users.groups.gitea = { };

  services.postgresql = {
    package = pkgs.postgresql_14;
    ensureDatabases = [
      config.services.forgejo.database.name
      "nextcloud"
    ];
    ensureUsers = [
      {
        name = config.services.forgejo.database.user;
        ensureDBOwnership = true;
      }
      {
        name = "nextcloud";
        ensureDBOwnership = true;
      }
    ];
  };

  sops.secrets."forgejo-runner-token" = {
    sopsFile = ../../../.secrets/hetzner/forgejo-runner-token.yaml; # bring your own password file
  };

  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances.default = {
      enable = true;
      name = "base";
      url = "https://git.hoyer.xyz";
      tokenFile = config.sops.secrets.forgejo-runner-token.path;
      labels = [
        "ubuntu-latest:docker://node:16-bullseye"
        "ubuntu-22.04:docker://node:16-bullseye"
        "ubuntu-20.04:docker://node:16-bullseye"
        "ubuntu-18.04:docker://node:16-buster"
      ];
    };
  };
}