{
  config,
  lib,
  ...
}:
with lib;
  mkIf (elem "gitea" config.machine.services) {
    services = {
      gitea = let
        cfg = config.machine;
        inherit ((findFirst (s: s.service == "gitea") cfg cfg.vHosts)) domain;
      in {
        enable = true;
        user = "git";
        database = {
          type = "mysql";
          user = "git";
          name = "gitea";
          passwordFile = config.sops.secrets."services/gitea/dbPass".path;
        };
        settings = {
          repository = {
            DISABLE_HTTP_GIT = false;
            USE_COMPAT_SSH_URI = true;
          };

          security = {
            INSTALL_LOCK = true;
            COOKIE_USERNAME = "gitea_username";
            COOKIE_REMEMBER_NAME = "gitea_userauth";
          };

          server = {
            DOMAIN = domain;
            ROOT_URL = "https://${domain}/";
          };

          service = {
            DISABLE_REGISTRATION = lib.mkForce true;
          };

          session = {
            cookieSecure = true;
          };
        };
      };
    };
    sops.secrets."services/gitea/dbPass" = {
      owner = "git";
      group = "gitea";
    };
    users.users.git = {
      description = "Gitea Service";
      isNormalUser = true;
      home = config.services.gitea.stateDir;
      createHome = true;
      useDefaultShell = true;
    };
  }