{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit (pkgs) fetchurl;
  inherit (lib.modules) mkIf;
  inherit (lib.options) mkEnableOption;
  inherit (config.services.forgejo) customDir user group;

  cfg = config.modules.system.services.forgejo;

  port = 3000;
  domain = "copeberg.org";
  img = ./img;
  acmeRoot = "/var/lib/acme/challenges-forgejo";
  dataDir = "/srv/data/forgejo";
in {
  options.modules.system.services.forgejo.enable = mkEnableOption "forgejo";

  config = mkIf cfg.enable {
    modules.system.services = {
      database.postgresql.enable = true;
      nginx.enable = true;
    };

    networking.firewall.allowedTCPPorts = [
      443
      80
      3000
    ];

    services.nginx = {
      enable = true;
      virtualHosts.${domain} = {
        addSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString port}";
        };
      };
    };

    security.acme = let
      email = "charlie@charlieroot.dev";
    in {
      # testing server, do not use in production, but DO use it for setting things up.
      # it has much higher rate limits.
      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
      certs = {
        ${domain} = {
          webroot = acmeRoot;
          inherit email;
          group = "nginx";
        };
      };
    };

    # create the git user for forgejo
    # NOTE: this is important and it will _not_ work otherwise.
    users.users.git = {
      home = dataDir;
      useDefaultShell = true;
      group = "git";
      isSystemUser = true;
    };
    users.groups.git = {};

    services.forgejo = {
      enable = true;
      package = pkgs.forgejo;
      stateDir = dataDir;

      user = "git";
      group = "git";
      database = {
        createDatabase = true;
        name = "git";
        user = "git";
        type = "postgres";
      };

      # Disable support for Git Large File Storage
      lfs.enable = false;

      settings = {
        server = {
          DOMAIN = domain;
          # You need to specify this to remove the port from URLs in the web UI.
          ROOT_URL = "https://${domain}/";
          HTTP_PORT = port;
          LANDING_PAGE = "home";
        };
        DEFAULT = {
          APP_NAME = "Copeberg.org";
          APP_SLOGAN = "Code and seethe.";
        };
        # disable registration by default.
        service.DISABLE_REGISTRATION = true;

        # Add support for actions, based on act: https://github.com/nektos/act
        actions = {
          ENABLED = false;
          DEFAULT_ACTIONS_URL = "github";
        };
        ui = {
          SHOW_USER_EMAIL = false;
          THEMES = "codeberg-dark";
          DEFAULT_THEME = "codeberg-dark";
        };

        # The glory of the old default branch name
        repository = {
          DEFAULT_BRANCH = "master";
        };

        "repository.signing" = {
          SIGNING_KEY = "none";
        };
      };
    };

    systemd.tmpfiles.rules = let
      # no crawlers, thank you.
      robots = pkgs.writeText "robots-txt" ''
        User-agent: *
        Disallow: /
      '';
      base-brand = fetchurl {
        url = "https://codeberg.org/Codeberg-Infrastructure/forgejo/raw/branch/codeberg-10/web_src/css/themes/codeberg/base-brand.css";
        hash = "sha256-QJ775HpINf8klO3d/8h+tEw0vk34p19dWUCWWuVwcho=";
      };
      dark-variables = fetchurl {
        url = "https://codeberg.org/Codeberg-Infrastructure/forgejo/raw/branch/codeberg-10/web_src/css/themes/codeberg/dark-variables.css";
        hash = "sha256-nCSJUOU9/R1fldoKXTTZmP7vmRjYUk/OKkbgrJ/NrXQ=";
      };
      theme-codeberg-dark = fetchurl {
        url = "https://codeberg.org/Codeberg-Infrastructure/forgejo/raw/branch/codeberg-10/web_src/css/themes/theme-codeberg-dark.css";
        hash = "sha256-KyXznH49koRGlzIDDqagN4PvFGD/zCX//wrctmtfgBs=";
      };
    in [
      "d '${customDir}/public' 0750 ${user} ${group} - -"
      "d '${customDir}/public/assets' 0750 ${user} ${group} - -"
      "d '${customDir}/public/assets/img' 0750 ${user} ${group} - -"
      # Copeberg logo, thanks Raf <3
      "L+ '${customDir}/public/assets/img/logo.svg' - - - - ${img}/logo.svg"
      "L+ '${customDir}/public/assets/img/logo.png' - - - - ${img}/logo.png"
      "L+ '${customDir}/public/assets/img/apple-touch-icon' - - - - ${img}/logo.png"
      "L+ '${customDir}/public/assets/img/favicon.svg' - - - - ${img}/logo.svg"
      "L+ '${customDir}/public/assets/img/favicon.png' - - - - ${img}/logo.png"

      # Theming shenanigans
      "d '${customDir}/public/assets' 0750 ${user} ${group} - -"
      "d '${customDir}/public/assets/css' 0750 ${user} ${group} - -"
      "d '${customDir}/public/assets/css/codeberg' 0750 ${user} ${group} - -"

      "L+ '${customDir}/public/assets/css/theme-codeberg-dark.css' - - - - ${theme-codeberg-dark}"
      "L+ '${customDir}/public/assets/css/codeberg/base-brand.css' - - - - ${base-brand}"
      "L+ '${customDir}/public/assets/css/codeberg/dark-variables.css' - - - - ${dark-variables}"

      # Templates
      "d '${customDir}/templates' 0750 ${user} ${group} - -"
      "d '${customDir}/templates/repo' 0750 ${user} ${group} - -"
      # Home page
      "L+ '${customDir}/templates/home.tmpl' - - - - ${./templates}/home.tmpl"
      "L+ '${customDir}/templates/repo/header.tmpl' - - - - ${./templates/repo}/header.tmpl"

      # Fuck off scrapers
      "L+ ${customDir}/public/robots.txt - - - - ${robots.outPath}"
    ];
  };
}