{config, ...}: {
  services.gitea = {
    enable = true;

    database = {
      type = "postgres";
      passwordFile = config.age.secrets."services/gitea/password-database".path;
    };

    lfs.enable = true;

    appName = "nekowinston's Gitea";
    settings = {
      server = rec {
        DOMAIN = "git.winston.sh";
        HTTP_ADDR = "127.0.0.1";
        HTTP_PORT = 12492;
        ROOT_URL = "https://${DOMAIN}/";
      };
      service.DISABLE_REGISTRATION = true;
      session.COOKIE_SECURE = true;
    };
  };

  age.secrets."services/gitea/password-database".owner = "gitea";

  services.nginx.virtualHosts.${config.services.gitea.settings.server.DOMAIN} = {
    forceSSL = true;
    enableACME = false;
    useACMEHost = "winston.sh";

    locations."/" = with config.services.gitea.settings.server; {
      extraConfig = "client_max_body_size 512M;";
      proxyPass = "http://${HTTP_ADDR}:${toString HTTP_PORT}";
    };
  };
}