{ config, ... }:
let
  cfg = config.services.forgejo;
  srv = cfg.settings.server;
in
{
  sops = {
    secrets = {
      "env" = {
        sopsFile = ../../secrets/cf-acme.yaml;
      };
    };
  };
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "acme@10110110.xyz";
      dnsProvider = "cloudflare";
      environmentFile = config.sops.secrets."env".path;
    };
  };
  services.nginx = {
    enable = true;
    virtualHosts.${cfg.settings.server.DOMAIN} = {
      forceSSL = true;
      enableACME = true;
      acmeRoot = null; # use DNS
      locations."/" = {
        recommendedProxySettings = true;
        proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
        extraConfig = ''
          client_max_body_size 512M;
        '';
      };
    };
  };
  services.forgejo = {
    enable = true;
    database.type = "sqlite3";
    dump.enable = true;
    settings = {
      server = {
        DOMAIN = "git.10110110.xyz";
        # You need to specify this to remove the port from URLs in the web UI.
        ROOT_URL = "https://${srv.DOMAIN}/";
        HTTP_PORT = 3000;
      };
      service.DISABLE_REGISTRATION = true;
      session.COOKIE_SECURE = true;
      actions = {
        ENABLED = true;
        DEFAULT_ACTIONS_URL = "github";
      };
    };
  };
}