{
  config,
  lib,
  inputs,
  pkgs,
  ...
}: {
  # swap out Gitea stable for unstable
  disabledModules = [
    "services/misc/gitea.nix"
    "services/continuous-integration/gitea-actions-runner.nix"
  ];
  imports = [
    "${inputs.nixpkgs-unstable}/nixos/modules/services/misc/gitea.nix"
    "${inputs.nixpkgs-unstable}/nixos/modules/services/continuous-integration/gitea-actions-runner.nix"
  ];
  services.gitea.package = pkgs.unstable.gitea;
  services.gitea-actions-runner.package = pkgs.unstable.gitea-actions-runner;

  age.secrets."services/gitea/password-database".owner = "gitea";

  networking.firewall.allowedTCPPorts = [22];

  services.elasticsearch.enable = true;

  services.gitea = {
    enable = true;

    appName = "winston's gitea";

    database = {
      type = "postgres";
      passwordFile = config.age.secrets."services/gitea/password-database".path;
    };

    lfs.enable = true;

    settings = {
      actions.ENABLED = true;

      indexer = with config.services.elasticsearch; let
        indexer = "elasticsearch";
        conn = "http://${listenAddress}:${toString port}";
      in {
        REPO_INDEXER_ENABLED = true;
        REPO_INDEXER_CONN_STR = conn;
        REPO_INDEXER_TYPE = indexer;
        ISSUE_INDEXER_CONN_STR = conn;
        ISSUE_INDEXER_TYPE = indexer;
      };

      repository.ENABLE_PUSH_CREATE_USER = true;

      server = rec {
        DOMAIN = "git.winston.sh";
        HTTP_ADDR = "127.0.0.1";
        HTTP_PORT = 12492;
        ROOT_URL = "https://${DOMAIN}/";
      };

      service.DISABLE_REGISTRATION = true;

      session = {
        COOKIE_SECURE = true;
        SAME_SITE = "strict";
      };

      "ui.meta" = {
        AUTHOR = "nekowinston";
        DESCRIPTION = "winston's gitea instance";
      };

      other = {
        SHOW_FOOTER_VERSION = false;
        SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
        SHOW_FOOTER_BRANDING = false;
      };
    };
  };

  services.gitea-actions-runner.instances.main = {
    enable = true;
    name = "main";
    url = config.services.gitea.settings.server.ROOT_URL;
    tokenFile = config.age.secrets."services/gitea/runner-token".path;
    labels = ["ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"];
    settings.container.network = "host";
  };

  systemd.services.gitea.preStart = let
    inherit (config.services.gitea) stateDir;
  in
    lib.mkAfter ''
      chmod u+w -R ${stateDir}/custom/**/*
      # apply customizations
      cp -Rf ${./gitea}/* ${stateDir}/custom
      chmod u-w -R ${stateDir}/custom/**/*
    '';

  services.nginx.virtualHosts.${config.services.gitea.settings.server.DOMAIN} = {
    forceSSL = true;
    enableACME = false;
    useACMEHost = "winston.sh";

    locations."/" = with config.services.gitea.settings.server; {
      extraConfig = "client_max_body_size 512M;";
      proxyPass = "http://${HTTP_ADDR}:${toString HTTP_PORT}";
    };
  };
}