{ config
, pkgs
, lib
, ...
}:
let
  cfg = config.dadada.forgejo;
in
{
  options.dadada.forgejo = {
    enable = lib.mkEnableOption "Enable forgejo";
  };
  config = lib.mkIf cfg.enable {
    services.forgejo = {
      enable = true;
      user = "gitea";
      group = "gitea";
      stateDir = "/var/lib/gitea";

      database = {
        type = "postgres";
        name = "gitea";
        user = "gitea";
      };

      settings = {
        DEFAULT.APP_NAME = "dadada forgejo";
        service = {
          DISABLE_REGISTRATION = true;
        };
        sessions = {
          COOKIE_SECURE = true;
        };
        server = {
          ROOT_URL = "https://git.dadada.li/";
          PROTOCOL = "http+unix";
          LANDING_PAGE = "explore";
          OFFLINE_MODE = true;
          DISABLE_SSH = false;

          # Use built-in SSH server
          START_SSH_SERVER = true;
          SSH_PORT = 22;

          DOMAIN = "git.dadada.li";
        };
        picture = {
          DISABLE_GRAVATAR = true;
          REPOSITORY_AVATAR_FALLBACK = "random";
          ENABLE_FEDERATED_AVATAR = false;
        };
        other = {
          SHOW_FOOTER_BRANDING = false;
          SHOW_FOOTER_VERSION = false;
          SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
        };
        log = {
          DISABLE_ROUTER_LOG = true;
          LEVEL = "Error";
        };
        cache = {
          ENABLE = true;
          ADAPTER = "redis";
          HOST = "network=unix,addr=${config.services.redis.servers.forgejo.unixSocket},db=0,pool_size=100,idle_timeout=180";
        };
      };
    };

    services.redis = {
      servers.forgejo = {
        enable = true;
        user = config.services.forgejo.user;
      };
      vmOverCommit = true;
    };

    systemd.services.forgejo.serviceConfig = {
      AmbientCapabilities = lib.mkForce "CAP_NET_BIND_SERVICE";
      CapabilityBoundingSet = lib.mkForce "CAP_NET_BIND_SERVICE";
      PrivateUsers = lib.mkForce false;
    };

    services.nginx.virtualHosts."git.${config.networking.domain}" = {
      enableACME = true;
      forceSSL = true;

      locations."/".extraConfig = ''
        proxy_pass http://unix:/run/forgejo/forgejo.sock:/;
      '';
    };

    users.users.gitea = {
      home = "/var/lib/gitea";
      useDefaultShell = true;
      group = "gitea";
      isSystemUser = true;
    };

    users.groups.gitea = { };
  };
}