{ config, ... }:
let
  cfg = config.services.forgejo;
  srv = cfg.settings.server;
  mail = "tague.at";
in
{
  services.nginx = {
    virtualHosts.${cfg.settings.server.DOMAIN} = {
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
        client_max_body_size 512M;
      '';
      locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
    };
  };

  services.forgejo = {
    enable = true;
    database = {
      type = "postgres";
      host = "/run/postgres/";
    };
    # Enable support for Git Large File Storage
    lfs.enable = true;
    settings = {
      server = {
        DOMAIN = "git.sprechtl.me";
        # You need to specify this to remove the port from URLs in the web UI.
        ROOT_URL = "https://${srv.DOMAIN}/"; 
        HTTP_PORT = 3000;
      };
      # You can temporarily allow registration to create an admin user.
      service = {
        DISABLE_REGISTRATION = false;
        ALLOW_ONLY_EXTERNAL_REGISTRATION = true; # only SSO, no local signups
      };
      oauth2_client = {
        ENABLE_AUTO_REGISTRATION = true; # auto-create account on first SSO login
        ACCOUNT_LINKING = "auto";        # auto-link if email already exists
      };
      # Add support for actions, based on act: https://github.com/nektos/act
      actions = {
        ENABLED = true;
        DEFAULT_ACTIONS_URL = "github";
      };
      # Sending emails is completely optional
      # You can send a test email from the web UI at:
      # Profile Picture > Site Administration > Configuration >  Mailer Configuration 
      mailer = {
        ENABLED = true;
        SMTP_ADDR = mail;
        FROM = "forgejo@${mail}";
        USER = "stefan@${mail}";
      };
    };
    secrets = {
      mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path;
    };
  };

  age.secrets.forgejo-mailer-password = {
    file = ../../secrets/forgejo-mailer-password.age;
    mode = "400";
    owner = "forgejo";
  };
}