{pkgs, lib, config, ...}:
with lib; with builtins; {
  services.forgejo = {
    enable = true;
    settings.server = {
      ROOT_URL = "https://git.shibe.pro";
      DOMAIN = "git.shibe.pro";
      HTTP_PORT = 48540;
      OFFLINE_MODE = true; # disable gravatar, CDN
    };
    settings.actions = {
       ENABLED = true;
    };
    settings."repository.upload" = {
	FILE_MAX_SIZE = 4095;
	MAX_FILES = 20;
    };
    settings."attachment" = {
        MAX_SIZE = 4095;
        MAX_FILES = 20;
    };

    settings.service = {
	DISABLE_REGISTRATION = true;
	DEFAULT_KEEP_EMAIL_PRIVATE = true;
    };
    database = {
      user = "forgejo";
      passwordFile = config.sops.secrets."forgejo/db_password".path;
      name = "forgejodb";
      type = "mysql";
    };
  };

  # Allow forgejo user to adjust authorized_keys dynamically
  services.openssh.extraConfig = ''
    Match User forgejo
      AuthorizedKeysFile ${config.users.users.forgejo.home}/.ssh/authorized_keys
  '';
  networking.firewall.allowedTCPPorts = [48540];
}