{
  config,
  pkgs,
  inputs,
  lib,
  ...
}: let
  httpPort = 8083;
  sshPort = 22;
  domain = "git.cyplo.dev";
  emailDomain = "peninsula.industries";
  baseurl = "https://${domain}";
  path = "/var/lib/gitea";
  mailgunSmtpSecretName = "gitea-mailgun-smtp-password";
  mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}";
  uid = 2051;
  gid = 3051;
  systemUserName = "gitea";
  systemGroupName = "gitea";
  users = {
    users."${systemUserName}" = {
      inherit uid;
      isSystemUser = true;
      isNormalUser = false;
      group = systemGroupName;
    };
    groups."${systemGroupName}" = {
      inherit gid;
      members = ["${systemUserName}" "nginx"];
    };
  };
in {
  imports = [../nginx.nix];

  inherit users;

  boot.kernel.sysctl = {"net.ipv4.ip_unprivileged_port_start" = 0;};
  systemd.services.systemd-sysctl.enable = lib.mkForce true;

  networking.firewall.allowedTCPPorts = [sshPort];
  services.nginx = {
    virtualHosts = {
      "${domain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:" + toString httpPort;
        };
      };
    };
  };

  sops.secrets."${mailgunSmtpSecretName}" = {
    sopsFile = ./mailgun.sops.yaml;
    path = mailgunSmtpPasswordPath;
    owner = systemUserName;
    group = systemGroupName;
  };

  containers.gitea = {
    autoStart = true;
    forwardPorts = [
      {
        inherit httpPort;
        containerPort = httpPort;
      }
      {
        containerPort = sshPort;
        hostPort = sshPort;
      }
    ];
    bindMounts = {
      "${path}" = {
        hostPath = "${path}";
        isReadOnly = false;
      };
      "${mailgunSmtpPasswordPath}" = {
        hostPath = "${mailgunSmtpPasswordPath}";
        isReadOnly = true;
      };
    };
    config = {
      config,
      pkgs,
      lib,
      ...
    }: {
      system.stateVersion = "22.05";
      users =
        users
        // {
          mutableUsers = false;
          allowNoPasswordLogin = true;
        };
      services.gitea = {
        inherit domain httpPort;
        enable = true;
        rootUrl = baseurl;
        stateDir = path;
        user = systemUserName;
        mailerPasswordFile = mailgunSmtpPasswordPath;
        settings = {
          service.DISABLE_REGISTRATION = true;
          server = {
            START_SSH_SERVER = true;
            SSH_PORT = sshPort;
            SSH_LISTEN_PORT = sshPort;
            DISABLE_SSH = false;
            LFS_START_SERVER = true;
          };
          mailer = {
            ENABLED = true;
            FROM = "git.cyplo.dev <gitea@${emailDomain}>";
            MAILER_TYPE = "smtp";
            HOST = "smtp.eu.mailgun.org:465";
            IS_TLS_ENABLED = true;
            USER = "postmaster@${emailDomain}";
          };
        };
      };
    };
  };
}