{
  pkgs,
  lib,
  config,
  service_configs,
  ...
}:
{
  imports = [
    (lib.serviceMountWithZpool "gitea" service_configs.zpool_ssds [ config.services.gitea.stateDir ])
    (lib.serviceFilePerms "gitea" [
      "Z ${config.services.gitea.stateDir} 0700 ${config.services.gitea.user} ${config.services.gitea.group}"
    ])
    (lib.mkCaddyReverseProxy {
      domain = service_configs.gitea.domain;
      port = service_configs.ports.private.gitea.port;
    })
    (lib.mkFail2banJail {
      name = "gitea";
      failregex = "^.*Failed authentication attempt for .* from <HOST>:.*$";
    })
  ];

  services.gitea = {
    enable = true;
    appName = "Simon Gardling's Gitea instance";
    stateDir = service_configs.gitea.dir;
    database = {
      type = "postgres";
      socket = service_configs.postgres.socket;
    };

    settings = {
      server = {
        SSH_USER = "gitea";
        DOMAIN = service_configs.gitea.domain;
        ROOT_URL = "https://" + config.services.gitea.settings.server.DOMAIN;
        HTTP_PORT = service_configs.ports.private.gitea.port;
        LANDING_PAGE = "/explore/repos";
        DISABLE_HTTP_GIT = true;
      };
      session = {
        # https cookies or smth
        COOKIE_SECURE = true;
      };
      # only I shall use gitea
      service.DISABLE_REGISTRATION = true;
      actions.ENABLED = true;
    };
  };

  # Hide repo Actions/workflow details from anonymous visitors. Gitea's own
  # REQUIRE_SIGNIN_VIEW=expensive mode does not cover /{user}/{repo}/actions,
  # so we gate the path at Caddy: forward_auth probes Gitea's /api/v1/user
  # with the incoming request's Cookie/Authorization headers. A logged-in
  # session answers 200 and the original request falls through to the
  # reverse_proxy from mkCaddyReverseProxy; a 401 is turned into a redirect
  # to the login page so the browser shows the login form instead of the
  # workflow list. Workflow status badges stay public so README links keep
  # rendering.
  services.caddy.virtualHosts.${service_configs.gitea.domain}.extraConfig = ''
    @repoActionsNotBadge {
      path_regexp ^/[^/]+/[^/]+/actions(/.*)?$
      not path_regexp ^/[^/]+/[^/]+/actions/workflows/[^/]+/badge\.svg$
    }
    handle @repoActionsNotBadge {
      forward_auth :${toString service_configs.ports.private.gitea.port} {
        uri /api/v1/user

        @unauthorized status 401
        handle_response @unauthorized {
          redir * /user/login?redirect_to={uri} 302
        }
      }
    }
  '';

  services.postgresql = {
    ensureDatabases = [ config.services.gitea.user ];
    ensureUsers = [
      {
        name = config.services.gitea.database.user;
        ensureDBOwnership = true;
        ensureClauses.login = true;
      }
    ];
  };

  services.openssh.settings.AllowUsers = [ config.services.gitea.user ];

}