{ lib, pkgs, config, ... }:
let
  dbname = "forgejo";
  ssh_port = 2225;
  http_port = 3000;
  domain = "new.git.cdaut.de";
in
{

  # enable and configure forgejo
  services.forgejo = {
    enable = true;
    database = {
      type = "postgres";
      name = dbname;
    };

    settings = {
      server = {
        ROOT_URL = "https://${domain}";
        DOMAIN = domain;
        SSH_PORT = ssh_port;
        HTTP_PORT = http_port;
        # important because otherwise ssh doesn't seem to work…
        START_SSH_SERVER = true;
        BUILTIN_SSH_SERVER_USER = "git";
      };
      cache = {
        ADAPTER = "twoqueue";
        HOST = "{\"size\":100, \"recent_ratio\":0.25, \"ghost_ratio\":0.5}";
      };
      service.DISABLE_REGISTRATION = true;
      repository.USE_COMPAT_SSH_URI = true;
      security.LOGIN_REMEMBER_DAYS = 365;
      # required because go doesn't recognize Let's Encrypt as a valid CA
      migrations.SKIP_TLS_VERIFY = true;
    };
  };

  # enable a PostgreSQL DB for forgejo
  services.postgresql = {
    enable = true;
    ensureDatabases = [ dbname ];
  };

  networking.firewall.allowedTCPPorts = [ http_port ssh_port ];

}