{
  domainName,
  config,
  ...
}:
{
  services = {
    forgejo = {
      enable = true;
      settings = {
        server = {
          ROOT_URL = "https://git.${domainName}/";
          PROTOCOL = "http";
          DOMAIN = "git.${domainName}";
          SSH_PORT = 2222;
          START_SSH_SERVER = true;
        };
        session.COOKIE_SECURE = true;
        service.DISABLE_REGISTRATION = true;
        mailer = {
          ENABLED = true;
          SMTP_ADDR = "in-v3.mailjet.com";
          SMTP_PORT = 587;
          FROM = "me@${domainName}";
          # USER and PASSWD come from secrets below
        };
      };
      secrets.mailer.USER = config.sops.secrets."forgejo-mailer-user".path;
      secrets.mailer.PASSWD = config.sops.secrets."forgejo-mailer-passwd".path;
    };
    nginx.virtualHosts."git.${domainName}" = {
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
          client_max_body_size 512M;
        '';
      locations = {
        "/" = {
          proxyPass = "http://localhost:3000";
          extraConfig = ''
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
            '';
        };
      };
    };
  };
  sops.secrets."forgejo-mailer-user" = {
    sopsFile = ./secrets/forgejo.yaml;
    mode = "0400";
  };
  sops.secrets."forgejo-mailer-passwd" = {
    sopsFile = ./secrets/forgejo.yaml;
    mode = "0400";
  };
}