{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.my.services.forgejo;
  inherit (config.my.server) domain proxyIP firewallInterface;
  forgejoDomain = "git.${domain}";
  forgejoUrl = "https://${forgejoDomain}";
in {
  options.my.services.forgejo = {
    enable = mkEnableOption "Forgejo";
    proxy = mkEnableOption "Forgejo reverse proxy entry";
    actions = mkOption {
      type = types.submodule (_: {
        options.enable = mkEnableOption "Forgejo Actions";
      });
    };
    subdomain = mkOption {
      type = types.str;
      default = "git";
      example = "git";
      description = "Subdomain to use for the service.";
    };
    port = mkOption {
      type = types.port;
      default = 3000;
      example = 8080;
      description = "HTTP port for the Forgejo service.";
    };
  };

  config = mkMerge [
    (mkIf cfg.enable {
      services.forgejo = {
        enable = true;
        package = pkgs.unstable.forgejo;
        settings.server = {
          DOMAIN = forgejoDomain;
          ROOT_URL = forgejoUrl;
          DISABLE_SSH = true;
          HTTP_PORT = cfg.port;
        };
        settings.session = {
          COOKIE_SECURE = true;
        };
        settings.service = {
          DISABLE_REGISTRATION = true;
        };
        settings.openid = {
          ENABLE_OPENID_SIGNIN = true;
          ENABLE_OPENID_SIGNUP = true;
        };
        settings.oauth2_client = {
          ENABLE_AUTO_REGISTRATION = true;
        };
      };

      networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port];

      age.secrets.forgejoActions.file = ../../../secrets/forgejo-actions.age;
      services.gitea-actions-runner = mkIf cfg.actions.enable {
        package = pkgs.unstable.forgejo-runner;
        instances.venus = {
          enable = true;
          name = "venus";
          url = forgejoUrl;
          settings = {
            # log = {
            #   level = "debug";
            # };
            options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
            runner = {
              capacity = 5;
              timeout = "45m";
            };
            container = {
              privileged = true;
              valid_volumes = ["*"];
              force_pull = false;
              network = "bridge";
            };
          };
          labels = [
            "debian-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
            "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
          ];
          tokenFile = config.age.secrets.forgejoActions.path;
        };
      };
    })
    (mkIf cfg.proxy {
      services.caddy.virtualHosts."${forgejoDomain}".extraConfig = ''
        redir /user/login /user/oauth2/Keycloak?{query}

        reverse_proxy http://${proxyIP}:${toString cfg.port}
      '';

      webapps.dashboardCategories = [
        {
          name = "Git";
          tag = "git";
        }
      ];

      webapps.apps.forgejo.dashboard = {
        name = "Forgejo";
        category = "git";
        icon = "git-alt";
        url = forgejoUrl;
        description = "Beyond coding. We forge.";
      };
    })
  ];
}