{
  config,
  lib,
  ...
}:
let
  port = 5027;
  certloc = "/var/lib/acme/fi33.buzz";
  hostname = "git.fi33.buzz";
  url = "https://git.fi33.buzz";
  sshPort = lib.head config.services.openssh.ports;
in
{
  services = {
    forgejo = {
      enable = true;
      dump = {
        enable = true;
        interval = "00:00";
      };
      lfs.enable = true;
      settings = {
        server = {
          # keep-sorted start
          DOMAIN = hostname;
          HTTP_PORT = port;
          ROOT_URL = url;
          SSH_PORT = sshPort;
          # keep-sorted end
        };
        service.DISABLE_REGISTRATION = true;
      };
      user = "git";
      group = "git";
    };

    openssh.settings.AllowUsers = [ "git" ];

    gatus.settings.endpoints = [
      {
        name = "Forgejo";
        group = "Private Services";
        inherit url;
        interval = "5m";
        conditions = [
          "[STATUS] == 200"
          "[CONNECTED] == true"
          "[RESPONSE_TIME] < 500"
        ];
        alerts = [ { type = "ntfy"; } ];
      }
      {
        name = "Forgejo SSH";
        group = "Private Services";
        url = "ssh://${hostname}:${toString sshPort}";
        interval = "5m";
        conditions = [
          "[CONNECTED] == true"
          "[RESPONSE_TIME] < 500"
        ];
        alerts = [ { type = "ntfy"; } ];
      }
    ];

    borgbackup.jobs = {
      onsite.paths = [ "/var/lib/forgejo" ];
      offsite.paths = [ "/var/lib/forgejo" ];
    };

    caddy.virtualHosts.${hostname}.extraConfig = ''
      reverse_proxy localhost:${toString port}
      tls ${certloc}/cert.pem ${certloc}/key.pem {
        protocols tls1.3
      }
    '';
  };

  users = {
    users.git = {
      home = "/var/lib/forgejo";
      useDefaultShell = true;
      group = "git";
      isSystemUser = true;
    };
    groups.git = { };
  };
}