{
  lib,
  config,
  ...
}:
let
  cfg = config.services.gitea;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";
in
{
  options.services.gitea = {
    subdomain = lib.mkOption {
      type = lib.types.str;
    };
    secrets = lib.mkOption {
      type = lib.types.nullOr lib.types.path;
      default = null;
    };
  };

  config = lib.mkIf cfg.enable {
    services.gitea = {
      database = {
        type = "postgres";
        socket = "/run/postgresql";
      };
      settings = {
        server = {
          ROOT_URL = "https://${fqdn}/";
          HTTP_ADDR = "127.0.0.1";
          HTTP_PORT = 3008;
          SSH_DOMAIN = fqdn;
          SSH_PORT = 2222;
          SSH_LISTEN_PORT = 2222;
          START_SSH_SERVER = true;
        };
        service = {
          DISABLE_REGISTRATION = false;
        };
        mailer = {
          ENABLED = true;
        };
      };
    };

    services = {
      webserver = {
        enable = lib.mkDefault true;
        vHosts.${fqdn}.locations."/".proxyPort = 3008;
      };
      postgresql = {
        enable = lib.mkDefault true;
        ensureDatabases = [ "gitea" ];
        ensureUsers = [
          {
            name = "gitea";
            ensureDBOwnership = true;
          }
        ];
      };
    };

    systemd.services.gitea = {
      serviceConfig = lib.mkIf (cfg.secrets != null) {
        EnvironmentFile = cfg.secrets;
      };
    };

    networking.firewall.allowedTCPPorts = [ 2222 ];
  };
}