{
    config,
    lib,
    pkgs,
    ...
}: let
    inherit (lib.attrsets) attrValues;

    srv = config.services.forgejo.settings.server;
in {
    age.secrets.forgejo-runner-token.file = ../../../secrets/forgejo-runner-token.age;

    services = {
        forgejo = {
            enable = true;
            lfs.enable = true;
            database.type = "postgres";
            dump = {
                enable = true;
                type = "tar.xz";
            };
            settings = {
                DEFAULT = {
                    APP_NAME = "fuck it we code";
                };

                server = {
                    DOMAIN = "git.jacekpoz.pl";
                    HTTP_PORT = 1849;
                    ROOT_URL = "https://${srv.DOMAIN}/";

                    # START_SSH_SERVER = true;
                    # SSH_PORT = 8236;
                    # SSH_LISTEN_PORT = 8236;
                };
                service = {
                    DISABLE_REGISTRATION = true;
                };
                actions = {
                    ENABLED = true;
                    DEFAULT_ACTIONS_URL = "https://code.forgejo.org";
                };
                federation = {
                    ENABLED = true;
                };
            };
        };
        gitea-actions-runner = {
            package = pkgs.forgejo-runner;
            instances = {
                chmura = {
                    enable = true;
                    name = config.networking.hostName;
                    url = "http://localhost:${toString srv.HTTP_PORT}";
                    tokenFile = config.age.secrets.forgejo-runner-token.path;
                    labels = [
                        "native:host"
                    ];
                    hostPackages = attrValues {
                        inherit (pkgs)
                            nix
                            nodejs
                            git
                            bash
                            fd
                            ripgrep
                        ;
                    };
                    settings = {
                        log.level = "info";
                        runner = {
                            file = ".runner";
                            capacity = 2;
                            timeout = "3h";
                            insecure = false;
                            fetch_timeout = "5s";
                            fetch_interval = "2s";
                        };
                    };
                };
            };
        };
    };

    systemd.services.gitea-runner-chmura.serviceConfig = {
        ReadWritePaths = "/srv/web";
    };

    # networking.firewall.allowedTCPPorts = [ srv.SSH_PORT ];

    services.caddy = {
        enable = true;
        virtualHosts."git.jacekpoz.pl".extraConfig = ''
            reverse_proxy * localhost:${toString srv.HTTP_PORT}
        '';
    };
}