{
  config,
  outputs,
  constants,
  ...
}:

{
  imports = [
    outputs.nixosModules.forgejo
    outputs.nixosModules.forgejo-runner
  ];

  services.forgejo = {
    enable = true;
    settings = {
      server = {
        DOMAIN = constants.services.forgejo.fqdn;
        ROOT_URL = "https://${constants.services.forgejo.fqdn}/";
        HTTP_PORT = constants.services.forgejo.port;
      };
      service = {
        DISABLE_REGISTRATION = true;
      };
      mailer = {
        ENABLED = true;
        FROM = "forgejo@${constants.domain}";
        SMTP_ADDR = constants.services.mail.fqdn;
        SMTP_PORT = constants.services.mail.port;
        USER = "forgejo@${constants.domain}";
      };
    };
  };

  services.forgejo-runner = {
    enable = true;
    url = "https://${constants.services.forgejo.fqdn}";
    tokenFile = config.sops.secrets."forgejo-runner/token".path;
  };

  sops.secrets."forgejo-runner/token" = {
    # gitea-runner user is created by gitea-actions-runner service
    mode = "0400";
  };

  services.nginx.virtualHosts."${constants.services.forgejo.fqdn}" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString constants.services.forgejo.port}";
    };
  };
}