{
  config,
  lib,
  ...
}:
with lib;
  mkIf (elem "forgejo" config.machine.services) {
    services = {
      forgejo = let
        cfg = config.machine;
        inherit ((findFirst (s: s.service == "forgejo") cfg cfg.vHosts)) domain;
      in {
        enable = true;
        user = "git";
        database = {
          type = "mysql";
          user = "git";
          name = "forgejo";
          passwordFile = config.sops.secrets."services/forgejo/dbPass".path;
        };
        settings = {
          repository = {
            DISABLE_HTTP_GIT = false;
            USE_COMPAT_SSH_URI = true;
          };

          security = {
            INSTALL_LOCK = true;
            COOKIE_USERNAME = "forgejo_username";
            COOKIE_REMEMBER_NAME = "forgejo_userauth";
          };

          server = {
            DOMAIN = domain;
            ROOT_URL = "https://${domain}/";
          };

          service = {
            DISABLE_REGISTRATION = lib.mkForce true;
          };

          session = {
            cookieSecure = true;
          };
        };
      };
    };
    sops.secrets."services/forgejo/dbPass" = {
      owner = "git";
      group = "forgejo";
    };
    users.users.git = {
      description = "Forgejo Service";
      isNormalUser = true;
      home = config.services.forgejo.stateDir;
      createHome = false;
      useDefaultShell = true;
    };
  }