{
  lib,
  pkgs,
  config,
  ...
}: let
  cfg = config.services.forgejo;
  srv = cfg.settings.server;
  domain = "git.procopius.dk";
  ssh_domain = "gitssh.procopius.dk";
in {
  users.users.plasmagoat.extraGroups = ["forgejo"];

  services.forgejo = {
    enable = true;
    user = "forgejo";
    group = "forgejo";
    stateDir = "/srv/forgejo";
    settings = {
      # https://forgejo.org/docs/latest/admin/config-cheat-sheet/
      server = {
        DOMAIN = domain;
        ROOT_URL = "https://${srv.DOMAIN}/";
        PROTOCOL = "http";
        HTTP_PORT = 3000;

        START_SSH_SERVER = true;
        SSH_PORT = 2222;
        SSH_DOMAIN = ssh_domain;
      };
      mailer = {
        ENABLED = true;
        FROM = "git@procopius.dk";

        PROTOCOL = "smtp+starttls";
        SMTP_ADDR = "mail.procopius.dk";
        USER = "admin@procopius.dk";
        PASSWD = "mikael";
      };
      database = {
        DB_TYPE = lib.mkForce "postgres";
        HOST = "/run/postgresql";
        NAME = "forgejo";
        USER = "forgejo";
      };
      service = {
        DISABLE_REGISTRATION = true;
        # ENABLE_INTERNAL_SIGNIN = false;
        ENABLE_NOTIFY_MAIL = true;
      };
      metrics = {
        ENABLED = true;
        ENABLED_ISSUE_BY_REPOSITORY = true;
        ENABLED_ISSUE_BY_LABEL = true;
      };
      actions = {
        ZOMBIE_TASK_TIMEOUT = "30m";
      };
      ldap = {
        AUTHORIZATION_NAME = "My LDAP";
        HOST = "ldap.example.com";
        PORT = 389;
        ENABLE_TLS = false;
        USER_SEARCH_BASE = "ou=users,dc=example,dc=com";
        USER_FILTER = "(&(objectClass=user)(sAMAccountName=%[1]s))";
        USERNAME_ATTRIBUTE = "sAMAccountName";
        EMAIL_ATTRIBUTE = "mail";
        FIRST_NAME_ATTRIBUTE = "givenName";
        SURNAME_ATTRIBUTE = "sn";
        ADMIN_FILTER = "(&(objectClass=user)(memberOf=cn=admins,ou=groups,dc=example,dc=com))";
        SKIP_LOCAL_2FA = false;
        ALLOW_DEACTIVATE_ALL = false;
      };

      oauth2 = {
      };
      oauth2_client = {
        ENABLE_AUTO_REGISTRATION = true;
        UPDATE_AVATAR = true;
      };
      # log = {
      #   ROOT_PATH = "/var/log/forgejo";
      #   MODE = "file";
      #   LEVEL = "Info";
      # };

      security = {
        INSTALL_LOCK = true;
        SECRET_KEY = config.sops.secrets."forgejo-secret-key".path; # can be another secret
      };
    };
  };

  systemd.services.forgejo.preStart = let
    adminCmd = "${lib.getExe cfg.package} admin user";
    user = "plasmagoat"; # Note, Forgejo doesn't allow creation of an account named "admin"
    pwd = config.sops.secrets.forgejo-admin-password;
  in ''
    ${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
    ## uncomment this line to change an admin user which was already created
    # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
  '';

  # Optional: firewall
  networking.firewall.allowedTCPPorts = [3000 2222];
}