{ lib, pkgs, config, ... }:
let
  cfg = config.services.forgejo;
  srv = cfg.settings.server;
  domain = "git.procopius.dk";
in
{
  users.users.plasmagoat.extraGroups = [ "forgejo" ];

  services.forgejo = {
    enable = true;
    user = "forgejo";
    group = "forgejo";
    stateDir = "/srv/forgejo";
    settings = {
      # https://forgejo.org/docs/latest/admin/config-cheat-sheet/
      server = {
        DOMAIN = domain;
        ROOT_URL = "https://${srv.DOMAIN}/";
        PROTOCOL = "http";
        HTTP_PORT = 3000;
      };
      database = {
        DB_TYPE = lib.mkForce "postgres";
        HOST = "/run/postgresql";
        NAME = "forgejo";
        USER = "forgejo";
      };
      service = {
        DISABLE_REGISTRATION = true;
      };
      metrics = {
        ENABLED = true;
        ENABLED_ISSUE_BY_REPOSITORY = true;
        ENABLED_ISSUE_BY_LABEL = true;
      };
      # log = {
      #   ROOT_PATH = "/var/log/forgejo";
      #   MODE = "file";
      #   LEVEL = "Info";
      # };

      security = {
        INSTALL_LOCK = true;
        SECRET_KEY = "changeme";  # can be another secret
      };
    };
  };

  sops.secrets.forgejo-admin-password.owner = "forgejo";
  sops.secrets.forgejo-db-password.owner = "forgejo";

  systemd.services.forgejo.preStart = let
    adminCmd = "${lib.getExe cfg.package} admin user";
    user = "plasmagoat"; # Note, Forgejo doesn't allow creation of an account named "admin"
    pwd = config.sops.secrets.forgejo-admin-password;
  in ''
    ${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
    ## uncomment this line to change an admin user which was already created
    # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
  '';

  # Optional: firewall
  networking.firewall.allowedTCPPorts = [ 3000 ];
}