{
  config,
  inputs,
  pkgs,
  ...
}:
{
  imports = [ "${inputs.nixpkgs-unstable}/nixos/modules/services/misc/renovate.nix" ];

  services.renovate = {
    enable = true;
    # N.B.: only needs to be specified while pulling the module from unstable
    package = pkgs.unstable.renovate;

    schedule = "hourly";

    runtimePackages = with pkgs; [
      # for nix lockfile maintenance
      nix
    ];

    settings = {
      endpoint = "https://${config.services.forgejo.settings.server.DOMAIN}";
      platform = "gitea";
      gitAuthor = "renovate[bot] <renovate@winston.sh>";
      autodiscover = true;
      autodiscoverTopics = [ "managed-by-renovate" ];

      # performance
      cachePrivatePackages = true;
      repositoryCache = "enabled";

      # experimental
      osvVulnerabilityAlerts = true;
    };
    credentials = {
      # can reuse the GHCR token to read changelogs
      GITHUB_COM_TOKEN = config.age.secrets."containers/ghcr-token".path;
      RENOVATE_GIT_PRIVATE_KEY = config.age.secrets."services/renovate/git-private-key".path;
      RENOVATE_TOKEN = config.age.secrets."services/renovate/token".path;
    };
  };
}