{
  lib,
  pkgs,
  config,
  ...
}:
let
  forgejo_domain = "git.encryptionin.space";
in
{
  services.nginx = {
    virtualHosts = {
      ${forgejo_domain} = {
        forceSSL = true;
        enableACME = true;
        extraConfig = ''
          client_max_body_size 512M;
        '';
        locations."/".proxyPass = "http://localhost:3100";
      };
      "build.${forgejo_domain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/".proxyPass = "http://localhost:8000";
      };
    };
  };

  services.forgejo = {
    enable = true;
    database.type = "postgres";
    # Enable support for Git Large File Storage
    lfs.enable = true;
    settings = {
      server = {
        DOMAIN = forgejo_domain;
        ROOT_URL = "https://${forgejo_domain}";
        HTTP_PORT = 3100;
      };
      service.DISABLE_REGISTRATION = true;
      webhook.ALLOWED_HOST_LIST = "external,loopback";
    };
  };

  services.woodpecker-server = {
    enable = true;
    environment = {
      WOODPECKER_HOST = "https://build.${forgejo_domain}";
      WOODPECKER_OPEN = "true";
      WOODPECKER_ADMIN = "hackerncoder";
      WOODPECKER_FORGEJO = "true";
      WOODPECKER_FORGEJO_URL = "https://${forgejo_domain}";
    };
    environmentFile = [ "/var/lib/secrets/woodpecker.env" ];
  };
  services.woodpecker-agents.agents."docker" = {
    enable = true;
    extraGroups = [ "podman" ];
    environment = {
      WOODPECKER_MAX_WORKFLOWS = "4";
      DOCKER_HOST = "unix:///run/podman/podman.sock";
      WOODPECKER_BACKEND = "docker";
    };
    environmentFile = [ "/var/lib/secrets/woodpecker.env" ];
  };

  virtualisation.podman = {
    enable = true;
    defaultNetwork.settings = {
      dns_enabled = true;
    };
  };
  # This is needed for podman to be able to talk over dns
  networking.firewall.interfaces."podman0" = {
    allowedUDPPorts = [ 53 ];
    allowedTCPPorts = [ 53 ];
  };
}