{ config, lib, pkgs, ... }: {

    options.sysconfig.virtualization.gitea.enable = lib.options.mkOption {
        type = lib.types.bool;
        default = false;
    };

    config = lib.mkIf config.sysconfig.virtualization.gitea.enable {

        networking = {
            hosts."192.168.100.20" = [ "gitea.esotericbytes.com" ];

            nat.internalInterfaces = [ "ve-gitea" ];
        };
        
        sops.secrets = {
            "gitea/dbpass" = {};
        };

        services.openssh.ports = [
            2222
        ];

        networking.firewall.allowedTCPPorts = [
            22
        ];

        containers.gitea = {

            autoStart = true;
            privateNetwork = true;
            hostAddress = "192.168.100.10";
            localAddress = "192.168.100.20";

            forwardPorts = [
                {
                    containerPort = 22;
                    hostPort = 22;
                }
            ];

            bindMounts = {
                "/etc/gitea/data" = {
                    hostPath = "/ssd1/Gitea/data";
                    isReadOnly = false;
                };
            };

            extraFlags = [
                "--load-credential=dbpass:${config.sops.secrets."gitea/dbpass".path}"
            ];
            config = {

                systemd.services.secrets_setup = {
                    wantedBy = [ "gitea.service" ];

                    serviceConfig = {
                        LoadCredential = [
                            "dbpass"
                        ];
                    };

                    script = ''
                        cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/gitea/dbpass
                        chown gitea:gitea /etc/gitea/*
                    '';
                };
                
                services.gitea = {
                    enable = true;

                    stateDir = "/etc/gitea/data";

                    dump.enable = false;

                    appName = "Gitea";

                    settings = {
                        server = {
                            DOMAIN = "gitea.esotericbytes.com";
                            HTTP_PORT = 3000;
                            ROOT_URL = "https://gitea.esotericbytes.com/";
                        };
                        service = {
                            DISABLE_REGISTRATION = false;
                            ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
                            REQUIRE_SIGNIN_VIEW = false;
                        };
                        oauth2_client = {
                            ENABLE_AUTO_REGISTRATION = true;
                        };
                        session.COOKIE_SECURE = true;

                        cron = {
                            ENABLED = true;
                            RUN_AT_START = true;
                        };
                    };

                    database = {
                        passwordFile = "/etc/gitea/dbpass";
                        type = "postgres";
                    };

                };
                services.openssh = {
                    enable = true;
                    settings = {
                        PermitRootLogin = lib.mkForce "no";
                        PasswordAuthentication = false;
                        KbdInteractiveAuthentication = false;
                    };
                };

                networking.firewall.allowedTCPPorts = [ 22 3000 ];

                system.stateVersion = "24.11";
            };
        };
    };
}