{
  config,
  lib,
  ...
}: let
  cfg = config.services.forgejo;
  srv = cfg.settings.server;
in {
  services.forgejo = {
    enable = true;
    appName = "git.itamar.site";
    database.type = "sqlite3";
    lfs.enable = true;

    settings = {
      server = {
        DOMAIN = "git.itamar.site";
        HTTP_ADDR = "127.0.0.1";
        HTTP_PORT = 3000;
        ROOT_URL = "https://git.itamar.site/";
        PROTOCOL = "http"; 

        DISABLE_SSH = false;
        START_SSH_SERVER = false; 
        SSH_DOMAIN = "git.itamar.site";
        SSH_PORT = lib.head config.services.openssh.ports;

        DISABLE_HTTP_GIT = true;
      };

      security = {
        COOKIE_SECURE = true;
      };

      service = {
        DISABLE_REGISTRATION = true;
      };

      log.LEVEL = "Info";
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts."git.itamar.site" = {
      enableACME = true;
      forceSSL = true;
      extraConfig = ''
        client_max_body_size 512M;
      '';
      locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "itamar@itamar.site";
  };

  services.openssh = {
    enable = true;
    ports = [22];
  };

  networking.firewall.allowedTCPPorts = [22 80 443];
}