{
  config,
  inputs,
  pkgs,
  ...
}:
let
  modules = [
    "services/misc/forgejo.nix"
    "services/continuous-integration/gitea-actions-runner.nix"
  ];
in
{
  # swap out stable for unstable modules
  disabledModules = modules;
  imports = builtins.map (v: "${inputs.nixpkgs-unstable}/nixos/modules/${v}") modules;

  age.secrets = {
    "services/forgejo/minio-secretkey".owner = config.services.forgejo.user;
    "services/forgejo/password-database".owner = config.services.forgejo.user;
  };

  # indexer
  services.elasticsearch.enable = true;

  services.forgejo = {
    enable = true;

    package = pkgs.unstable.forgejo;

    database = {
      type = "postgres";
      passwordFile = config.age.secrets."services/forgejo/password-database".path;
    };

    lfs.enable = true;

    secrets = {
      storage = {
        MINIO_SECRET_ACCESS_KEY = config.age.secrets."services/forgejo/minio-secretkey".path;
      };
      service = {
        HCAPTCHA_SECRET = config.age.secrets."services/forgejo/hcaptcha-secret".path;
      };
    };

    settings = {
      DEFAULT.APP_NAME = "winston's forgejo";

      indexer =
        with config.services.elasticsearch;
        let
          indexer = "elasticsearch";
          conn = "http://${listenAddress}:${toString port}";
        in
        {
          REPO_INDEXER_ENABLED = true;
          REPO_INDEXER_CONN_STR = conn;
          REPO_INDEXER_TYPE = indexer;
          ISSUE_INDEXER_CONN_STR = conn;
          ISSUE_INDEXER_TYPE = indexer;
        };

      metrics = {
        ENABLED = true;
        ENABLED_ISSUE_BY_REPOSITORY = true;
        ENABLED_ISSUE_BY_LABEL = true;
      };

      repository = {
        ENABLE_PUSH_CREATE_USER = true;
      };

      "repository.signing" = {
        SIGNING_KEY = "040C2D69C44F7B38065208FCCEED88FF3F03801B";
        SIGNING_NAME = "winston's Forgejo";
        SIGNING_EMAIL = "code@winston.sh";
      };

      server = rec {
        DOMAIN = "code.winston.sh";
        ROOT_URL = "https://${DOMAIN}/";

        HTTP_ADDR = "127.0.0.1";
        HTTP_PORT = 12492;

        # allow fetch from gravatar etc.
        OFFLINE_MODE = false;
      };

      service = {
        ENABLE_CAPTCHA = true;
        CAPTCHA_TYPE = "hcaptcha";
        HCAPTCHA_SITEKEY = "4ec475d2-ed5e-4fa0-b048-793a8ddc2464";
      };

      session = {
        COOKIE_NAME = "forgejo-session";
        COOKIE_SECURE = true;
        SAME_SITE = "strict";
      };

      storage = {
        STORAGE_TYPE = "minio";

        SERVE_DIRECT = true;
        MINIO_ENDPOINT = "s3.winston.sh";

        MINIO_ACCESS_KEY_ID = "forgejo";

        MINIO_BUCKET = "forgejo";
        MINIO_LOCATION = "eu-central-1";
        MINIO_USE_SSL = true;
      };

      "ui.meta" = {
        AUTHOR = "nekowinston's Forgejo - Beyond coding. We forge.";
      };

      other = {
        SHOW_FOOTER_VERSION = false;
        SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
        SHOW_FOOTER_POWERED_BY = false;
      };
    };
  };

  services.nginx.virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = {
    forceSSL = true;
    enableACME = false;
    useACMEHost = "winston.sh";

    locations = with config.services.forgejo.settings.server; {
      "/" = {
        extraConfig =
          # nginx
          ''
            client_max_body_size 512M;
          '';
        proxyPass = "http://${HTTP_ADDR}:${toString HTTP_PORT}";
      };

      # don't spam the log with runner polls
      "/api/actions/runner.v1.RunnerService/FetchTask" = {
        extraConfig = "access_log off;";
        proxyPass = "http://${HTTP_ADDR}:${toString HTTP_PORT}";
      };
    };
  };
}