{
  config,
  lib,
  pkgs,
  self,
  ...
}: let
  pubsolarDomain = import ./pubsolar-domain.nix;
in {
  age.secrets.gitea-database-password = {
    file = "${self}/secrets/gitea-database-password.age";
    mode = "600";
    group = "gitea";
  };

  # age.secrets.gitea-mailer-password = {
  #   file = "${self}/secrets/gitea-mailer-password.age";
  #   mode = "600";
  #   owner = "gitea";
  # };

  systemd.tmpfiles.rules = [
    "d '/data/gitea/db' 0770 root postgres - -"
    "d '/data/gitea/gitea' 0770 root gitea - -"
  ];

  users.groups.postgres = {};
  users.groups.gitea = {};
  ids.uids.gitea = 994;
  ids.gids.gitea = 994;

  containers.gitea = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.101.0";
    localAddress = "192.168.105.0";
    hostAddress6 = "fc00::1";
    localAddress6 = "fc00::5";

    bindMounts = {
      "/var/lib/postgresql/14" = {
        hostPath = "/data/gitea/db";
        isReadOnly = false;
      };

      "/var/lib/gitea" = {
        hostPath = "/data/gitea/gitea";
        isReadOnly = false;
      };

      "${config.age.secrets.gitea-database-password.path}" = {
        hostPath = "${config.age.secrets.gitea-database-password.path}";
        isReadOnly = true;
      };
    };

    config = {
      networking.nameservers = ["1.1.1.1"];

      services.gitea = {
        enable = true;
        package = pkgs.forgejo;
        appName = "pub.solar git server";
        database = {
          type = "postgres";
          passwordFile = config.age.secrets.gitea-database-password.path;
        };
        lfs.enable = true;
        # mailerPasswordFile = config.age.secrets.gitea-mailer-password.path;
        settings = {
          server = {
            DOMAIN = "git.${pubsolarDomain}";
            HTTP_ADDR = "127.0.0.1";
            HTTP_PORT = 3000;
            ROOT_URL = "https://git.${pubsolarDomain}";
          };
          mailer = {
            ENABLED = false;
            PROTOCOL = "smtps";
            SMTP_ADDR = "mx2.greenbaum.cloud";
            SMTP_PORT = 465;
            FROM = ''"pub.solar git server" <gitea@pub.solar>'';
            USER = "admins@pub.solar";
          };
          "repository.signing" = {
            SIGNING_KEY = "default";
            MERGES = "always";
          };
          openid = {
            ENABLE_OPENID_SIGNIN = true;
            ENABLE_OPENID_SIGNUP = true;
          };
          # uncomment after initial deployment, first user is admin user
          # required to setup SSO (oauth openid-connect, keycloak auth provider)
          service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
          service.ENABLE_NOTIFY_MAIL = true;
          session.COOKIE_SECURE = lib.mkForce true;
        };
      };

      # See: https://docs.gitea.io/en-us/signing/#installing-and-generating-a-gpg-key-for-gitea
      # Required for gitea server side gpg signatures
      # configured/setup manually in:
      # /var/lib/gitea/data/home/.gitconfig
      # /var/lib/gitea/data/home/.gnupg/
      # sudo su gitea
      # export GNUPGHOME=/var/lib/gitea/data/home/.gnupg
      # gpg --quick-gen-key 'pub.solar gitea <gitea@pub.solar>' ed25519
      # TODO: implement declarative GPG key generation and
      # gitea gitconfig
      programs.gnupg.agent = {
        enable = true;
        pinentryFlavor = "curses";
      };
      # Required to make gpg work without a graphical environment?
      # otherwise generating a new gpg key fails with this error:
      # gpg: agent_genkey failed: No pinentry
      # see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
      environment.variables = {
        GPG_TTY = "$(tty)";
      };
    };
  };
}