{
  pkgs,
  lib,
  config,
  service_configs,
  ...
}:
{
  imports = [
    (lib.serviceMountWithZpool "gitea" service_configs.zpool_ssds [ config.services.gitea.stateDir ])
    (lib.serviceFilePerms "gitea" [
      "Z ${config.services.gitea.stateDir} 0700 ${config.services.gitea.user} ${config.services.gitea.group}"
    ])
  ];

  services.gitea = {
    enable = true;
    appName = "Simon Gardling's Gitea instance";
    stateDir = service_configs.gitea.dir;
    database = {
      type = "postgres";
      socket = service_configs.postgres.socket;
    };

    settings = {
      server = {
        SSH_USER = "gitea";
        DOMAIN = service_configs.gitea.domain;
        ROOT_URL = "https://" + config.services.gitea.settings.server.DOMAIN;
        HTTP_PORT = service_configs.ports.gitea;
        LANDING_PAGE = "/explore/repos";
        DISABLE_HTTP_GIT = true;
      };
      session = {
        # https cookies or smth
        COOKIE_SECURE = true;
      };
      # only I shall use gitea
      service.DISABLE_REGISTRATION = true;
    };
  };

  services.caddy.virtualHosts."${service_configs.gitea.domain}".extraConfig = ''
    reverse_proxy :${builtins.toString config.services.gitea.settings.server.HTTP_PORT}
  '';

  services.postgresql = {
    ensureDatabases = [ config.services.gitea.user ];
    ensureUsers = [
      {
        name = config.services.gitea.database.user;
        ensureDBOwnership = true;
        ensureClauses.login = true;
      }
    ];
  };

  services.openssh.settings.AllowUsers = [ config.services.gitea.user ];

  # Protect Gitea login from brute force attacks
  services.fail2ban.jails.gitea = {
    enabled = true;
    settings = {
      backend = "systemd";
      port = "http,https";
      # defaults: maxretry=5, findtime=10m, bantime=10m
    };
    filter.Definition = {
      failregex = "^.*Failed authentication attempt for .* from <HOST>:.*$";
      ignoreregex = "";
      journalmatch = "_SYSTEMD_UNIT=gitea.service";
    };
  };
}