{
  config,
  inputs,
  pkgs,
  ...
}: let
  modules = ["services/misc/forgejo.nix" "services/continuous-integration/gitea-actions-runner.nix"];
in {
  # swap out stable for unstable modules
  disabledModules = modules;
  imports =
    builtins.map (v: "${inputs.nixpkgs-unstable}/nixos/modules/${v}")
    modules;

  age.secrets = {
    "services/forgejo/minio-secretkey".owner = config.services.forgejo.user;
    "services/forgejo/password-database".owner = config.services.forgejo.user;
  };

  # forgejo ssh
  networking.firewall.allowedTCPPorts = [22];

  # indexer
  services.elasticsearch.enable = true;

  services.forgejo = {
    enable = true;

    package = pkgs.unstable.forgejo;

    database = {
      type = "postgres";
      passwordFile = config.age.secrets."services/forgejo/password-database".path;
    };

    lfs.enable = true;

    secrets = {
      storage = {
        MINIO_SECRET_ACCESS_KEY = config.age.secrets."services/forgejo/minio-secretkey".path;
      };
    };

    settings = {
      DEFAULT.APP_NAME = "winston's forgejo";

      indexer = with config.services.elasticsearch; let
        indexer = "elasticsearch";
        conn = "http://${listenAddress}:${toString port}";
      in {
        REPO_INDEXER_ENABLED = true;
        REPO_INDEXER_CONN_STR = conn;
        REPO_INDEXER_TYPE = indexer;
        ISSUE_INDEXER_CONN_STR = conn;
        ISSUE_INDEXER_TYPE = indexer;
      };

      repository.ENABLE_PUSH_CREATE_USER = true;

      server = rec {
        DOMAIN = "code.winston.sh";
        ROOT_URL = "https://${DOMAIN}/";

        HTTP_ADDR = "127.0.0.1";
        HTTP_PORT = 12492;

        # allow fetch from gravatar etc.
        OFFLINE_MODE = false;
      };

      session = {
        COOKIE_NAME = "forgejo-session";
        COOKIE_SECURE = true;
        SAME_SITE = "strict";
      };

      storage = {
        STORAGE_TYPE = "minio";

        SERVE_DIRECT = true;
        MINIO_ENDPOINT = "s3.winston.sh";

        MINIO_ACCESS_KEY_ID = "forgejo";

        MINIO_BUCKET = "forgejo";
        MINIO_LOCATION = "eu-central-1";
        MINIO_USE_SSL = true;
      };

      "ui.meta".AUTHOR = "nekowinston's Forgejo - Beyond coding. We forge.";

      other = {
        SHOW_FOOTER_VERSION = false;
        SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
        SHOW_FOOTER_POWERED_BY = false;
      };
    };
  };

  virtualisation.podman.enable = true;
  services.gitea-actions-runner = {
    package = pkgs.unstable.forgejo-runner;
    instances.main = {
      enable = true;
      name = "main";
      url = config.services.forgejo.settings.server.ROOT_URL;
      tokenFile = config.age.secrets."services/forgejo/runner-token".path;
      labels = ["ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"];
      settings.container = {
        network = "host";
        options = "--add-host=forgejo.winston.sh:host-gateway";
      };
    };
  };

  services.nginx.virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = {
    forceSSL = true;
    enableACME = false;
    useACMEHost = "winston.sh";

    locations = {
      "/" = with config.services.forgejo.settings.server; {
        extraConfig =
          # nginx
          ''
            access_log /var/log/nginx/forgejo.access.log combined_geoip;
            client_max_body_size 512M;
          '';
        proxyPass = "http://${HTTP_ADDR}:${toString HTTP_PORT}";
      };

      # don't spam the log with runner polls
      "/api/actions/runner.v1.RunnerService/FetchTask".extraConfig = "access_log off;";
    };
  };
}