{ pkgs
, config
, ...}: let
  host = "src.514fpv.io";
in {
  services.forgejo = {
    enable = true;
    lfs.enable = true;
    stateDir = "/nix/persist/service/forgejo";
    database.type = "postgres";
    database.createDatabase = true;
    settings = {
      server = {
        SSH_PORT = 8087;
        COOKIE_SECURE = true;
        LANDING_PAGE = "explore";
        DOMAIN = host;
        PROTOCOL = "http+unix";
        ROOT_URL = "https://${host}:2096/";
      };
      DEFAULT.APP_NAME = "Forgejo";
      service.DISABLE_REGISTRATION = true;
    };
  };

  users.users.forgejo.uid = 1023;
  users.groups.forgejo.gid = 1023;

  services.nginx.virtualHosts.${host} = {
    useACMEHost = ".514fpv.io";
    addSSL = true;
    locations."/".proxyPass = "http://unix:/run/forgejo/forgejo.sock";
  };

  services.gitea-actions-runner.instances.local = {
    enable = true;
    url = "https://${host}:2096";
    name = config.networking.hostName;
    tokenFile = "/nix/persist/secret/gitea-runner";
    labels = [
      # provide a debian base with nodejs for actions
      "debian-latest:docker://node:18-bullseye"
      # fake the ubuntu name, because node provides no ubuntu builds
      "ubuntu-latest:docker://node:18-bullseye"
    ];
    settings = {
      runner.envs = let
        proxy = "socks5://192.168.1.253:1080";
      in {
        all_proxy = proxy;
        ftp_proxy = proxy;
        http_proxy = proxy;
        https_proxy = proxy;
        rsync_proxy = proxy;
        no_proxy = "127.0.0.1,localhost,.localdomain";
      };
    };
  };

  environment.persistence."/nix/persist/fhs".directories = [ "/var/lib/private/gitea-runner" ];
}